Last active
September 7, 2023 04:34
-
-
Save laymanstake/197071c3f65ae70a4b279caa41f2292b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author : Nitish Kumar | |
| AD delegated rights report | |
| version 1.0 | 06/09/2023 Initial version | |
| Disclaimer: This script is designed for illustration purposes only and the author do not claim to be responsible for any issues if caused by the script in production usages. Do due dilligence before running in the production environment | |
| #> | |
| # Initialize an empty array to store delegated permissions on OUs | |
| $global:delegatedPermissionsOnOUs = @() | |
| # Define a function to check permissions on an OU and its sub-OUs | |
| function Get-OUPermissions { | |
| param ( | |
| [string]$ouDN | |
| ) | |
| # Get the security descriptor of the OU | |
| $ou = Get-ADOrganizationalUnit -Filter { DistinguishedName -eq $ouDN } | |
| if ($ou) { | |
| $ouSecurity = Get-Acl -Path "AD:\$ouDN" | |
| # Loop through each ACE in the OU's ACL | |
| foreach ($ace in $ouSecurity.Access) { | |
| # Check if the ACE is explicitly set (not inherited) and represents delegated permissions | |
| if ($ace.IsInherited -eq $false -and $ace.IdentityReference -notlike "BUILTIN\*" -and $ace.IdentityReference -notlike "NT AUTHORITY\*" -and $ace.IdentityReference -notlike "S-1-5*") { | |
| # Create an object to store information about the delegated permission on the OU | |
| $permissionInfo = [PSCustomObject]@{ | |
| "OU" = (Get-ADOrganizationalUnit $OU -Properties CanonicalName).CanonicalName | |
| "IdentityReference" = $ace.IdentityReference | |
| "ActiveDirectoryRights" = $ace.ActiveDirectoryRights | |
| "AccessControlType" = $ace.AccessControlType | |
| } | |
| $global:delegatedPermissionsOnOUs += $permissionInfo | |
| } | |
| } | |
| # Get child OUs and check their permissions | |
| $childOUs = Get-ADOrganizationalUnit -SearchBase $ouDN -Filter * -SearchScope OneLevel | |
| foreach ($childOU in $childOUs) { | |
| Get-OUPermissions -ouDN $childOU.DistinguishedName | |
| } | |
| } | |
| else { | |
| # Get child OUs and check their permissions | |
| $childOUs = Get-ADOrganizationalUnit -SearchBase $ouDN -Filter * -SearchScope OneLevel | |
| foreach ($childOU in $childOUs) { | |
| Get-OUPermissions -ouDN $childOU.DistinguishedName | |
| } | |
| } | |
| } | |
| # Specify the domain DN (e.g., "DC=domain,DC=com") otherwise it would pick current domain | |
| $domainDN = (Get-ADDomain $env:USERDOMAIN).distinguishedname | |
| # Check permissions at the domain root | |
| $domainRootSecurity = Get-Acl -Path "AD:\$domainDN" | |
| # Loop through each ACE in the domain's ACL | |
| foreach ($ace in $domainRootSecurity.Access) { | |
| # Check if the ACE is explicitly set (not inherited) and represents delegated permissions | |
| if ($ace.IsInherited -eq $false -and $ace.IdentityReference -notlike "BUILTIN\*" -and $ace.IdentityReference -notlike "NT AUTHORITY\*" -and $ace.IdentityReference -notlike "S-1-5*") { | |
| # Create an object to store information about the delegated permission at the domain root | |
| $permissionInfo = [PSCustomObject]@{ | |
| "OU" = "Domain Root" | |
| "IdentityReference" = $ace.IdentityReference | |
| "ActiveDirectoryRights" = $ace.ActiveDirectoryRights | |
| "AccessControlType" = $ace.AccessControlType | |
| } | |
| $global:delegatedPermissionsOnOUs += $permissionInfo | |
| } | |
| } | |
| # Check permissions on OUs within the domain | |
| Get-OUPermissions -ouDN $domainDN | |
| # Display the explicitly set delegated permissions on OUs, including the domain root | |
| $global:delegatedPermissionsOnOUs | export-csv -nti c:\temp\delegation.csv |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment