Who has access to do what where?

Posted: May 19, 2014/Under: Active Directory, PowerShell/By: jay c

If you manage Active Directory in a large organization, chances are good there are a number of cooks in the kitchen. Every now and then it’s good to review who has access to do what. I’m sure there are any number of great tools out there to give you this kind of information (feel free to link them in the comments), here’s a cmdlet to give you a quick look at very specific permission sets in AD. (Requires Dell’s Quest ActiveRoles PowerShell snapin, which is free.)

This example checks to see who has the ability to create and delete child user objects in an OU called “employees”:

[PS] C:\Windows\system32>Get-QADPermission “domain.com/employees” -Rights ‘CreateChild,DeleteChild’ -ChildType ‘user’

This will give you an output of something like this:

Ctrl Account Rights Source AppliesTo
—- ——- —— —— ———
DOMAIN\GroupName Create/Delete user Not inherited This object and…
DOMAIN\GroupName2 Create/Delete user Not inherited This object and…
DOMAIN\User.Name Create/Delete user Not inherited This object and…

WARNING: Only explicit permissions were displayed. To display inherited and AD default permissions use -Inherited and -SchemaDefault switches respectively.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Many links on this website to books, software, and other resources are affiliate links. I might earn a very small commission if you purchase through one of my links.