If you manage Active Directory in a large organization, chances are good there are a number of cooks in the kitchen. Every now and then it’s good to review who has access to do what. I’m sure there are any number of great tools out there to give you this kind of information (feel free to link them in the comments), here’s a cmdlet to give you a quick look at very specific permission sets in AD. (Requires Dell’s Quest ActiveRoles PowerShell snapin, which is free.)
This example checks to see who has the ability to create and delete child user objects in an OU called “employees”:
|[PS] C:\Windows\system32>Get-QADPermission “domain.com/employees” -Rights ‘CreateChild,DeleteChild’ -ChildType ‘user’|
This will give you an output of something like this:
WARNING: Only explicit permissions were displayed. To display inherited and AD default permissions use -Inherited and -SchemaDefault switches respectively.