Posted by on May 19, 2014

If you manage Active Directory in a large organization, chances are good there are a number of cooks in the kitchen. Every now and then it’s good to review who has access to do what. I’m sure there are any number of great tools out there to give you this kind of information (feel free to link them in the comments), here’s a cmdlet to give you a quick look at very specific permission sets in AD. (Requires Dell’s Quest ActiveRoles PowerShell snapin, which is free.)

This example checks to see who has the ability to create and delete child user objects in an OU called “employees”:

[PS] C:\Windows\system32>Get-QADPermission “” -Rights ‘CreateChild,DeleteChild’ -ChildType ‘user’

This will give you an output of something like this:

Ctrl Account Rights Source AppliesTo
—- ——- —— —— ———
DOMAIN\GroupName Create/Delete user Not inherited This object and…
DOMAIN\GroupName2 Create/Delete user Not inherited This object and…
DOMAIN\User.Name Create/Delete user Not inherited This object and…

WARNING: Only explicit permissions were displayed. To display inherited and AD default permissions use -Inherited and -SchemaDefault switches respectively.


Be the first to comment.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>