LAPS Permission Collection for OUs #1
Description
Hi Kevin,
while searching for a script to show which OUs (and not the computers in the OUs) have the LAPS attributes set, I stumbled upon your script. With slight modifications I managed to succeed. Important for me was to either get the inheriting OUs, therefore the $inherited filtering.
That said, wanted to leave this "issue" here with my modified version and a big THANKS to you!
Cheers!
🍪✌️ Michael
##Domain
$target = 'DC=your,DC=domain,DC=com'
##Include inherited?
$inherited = $false
Import-Module ActiveDirectory
##Get the GUID of the extended attributes ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd from Schema
$schemaIDGUID = @{}
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(|(name=ms-Mcs-AdmPwdExpirationTime)(name=ms-Mcs-AdmPwd))' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
##Get distinguished name of all OUs or of the target itself
$orgunits = Get-ADOrganizationalUnit -SearchBase $target -Filter {name -like '*'}
##Display OUs matching the criteria
Set-Location ad:
foreach ($ou in $orgunits){
(Get-Acl $ou.distinguishedname).access |
Where-Object {(($_.AccessControlType -eq 'Allow') -and (($_.activedirectoryrights -like '*WriteProperty*') -or ($_.activedirectoryrights -like '*ReadProperty*')) -and ($_.objecttype -in $schemaIDGUID.Keys) -and ($_.IsInherited -eq $inherited))} |
ft @{Label="OU"; Expression={([string]$ou.distinguishedname)}}, @{Label="Attribute"; Expression={ $schemaIDGUID[$_.objecttype] }}, identityreference, isinherited, activedirectoryrights -AutoSize
}