Using Get-ACL to filter AD objects without certain group ACLs

At work we discovered a few accounts yesterday that didn’t have a certain group in its ACL. So I was curious on how to use PowerShell and find other accounts which are similarly missing this group.

To get the ACL of an ActiveDirectory object you must import the ActiveDirectory module and then use the Get-ACL cmdlet. Importing the ActiveDirectory module creates the AD: PSDrive which is what Get-ACL will use to access the AD objects.

For example:

The output of this cmdlet is the path to the object, the owner of the object, and a list of ACLs. To view these ACLs you must enumerate them:

This gives a list of ACLs. Here you can filter out the ACL you are interested. Sometimes (like in my case) the group name isn’t shown but the SID is, so keep that in mind.

So the simplest test to check whether an ACL is present or not is to see if the ouput of the above is $null:

Put this together with the Get-ADUser cmdlet and some formatting one can produce a list of AD users along with whether this group is present in their ACL or not:

One can also just produce a list of user objects which don’t have this ACL: