/build/static/layout/Breadcrumb_cap_w.png

Audit Active Directory Extended Rights

This is a powershell script that will scan and audit your active directory structure for any users with permissions on extended rights, and the organizational unit paths that those permissions are granted on. Requires active directory module. No changes need to be made to the script, however if you wish to alter the output log paths or add users to be filtered out of the output, such as your known administrators, these can be added to the variables via ISE or notepad prior to execution. 

The script is benefitial for users who have deployed a LAPS Local Administrator Password Solution in their environment. This script will allow you to quickly audit exactly who has access to what LAPS information (computer object extended rights) in AD.

 

###################################################################################

################### Variables #####################################################

###################################################################################

$LoggedAccessLocation = "C:\Temp\" ## Location to store output ####################

$NotMe = "*DasAdmins*" ## Account Filter ##########################################

###################################################################################

## Note: BuiltIn, NT Authority and Orphaned SIDs are automatically filtered out ###

###################################################################################
 

$TP = $False

$TP = Test-Path $LoggedAccessLocation

IF ($TP -eq $False)

{New-Item -ItemType Directory -Force -Path $LoggedAccessLocation}

$Date = Get-Date -UFormat "%Y / %m / %d"

$Date = $Date -replace('/','-')

$Date = $Date -replace(' ','')

$I = 0

$ACLList =@()

Import-Module ActiveDirectory

set-location ad:
 

$OUs = (Get-ADOrganizationalUnit -filter *).DistinguishedName
 

foreach ($OU in $OUs){

CLS

Write-Progress -activity "Checking: $OU... " -status "Scanned: $i of $($OUs.Count)folders..." -percentComplete (($i / $OUs.Count)  * 100)

$I ++

     $ACLS = (Get-Acl $OU).access | where {$_.ActiveDirectoryRights -Like"*ExtendedRight*" -and $_.IsInherited -ne 'True' -and `

        ($_.IdentityReference -notlike "BUILTIN\*" -and $_.IdentityReference -ne "NT AUTHORITY\*" -and `

        $_.IdentityReference -notlike "S-1-5*" -and $_.IdentityReference -notlike "$NotMe"`

)} | Select ActiveDirectoryRights, IdentityReference, AccessControltype
 

    Foreach ($ACL in $ACLs)

    {

    $OutInfo = New-Object -TypeName psobject `

    -Property @{

        IDRef = $ACL.IdentityReference.ToString()

        Path = $OU

        Access = $ACL.AccessControlType.ToString()

        }

    $ACLList+=$OutInfo

    }

}

$FP = -join("$LoggedAccessLocation","$Date","_ExtRights_Audit.CSV" )

$ACLList | select Path,IDRef,Access | export-csv $FP -NoTypeInformation

CLS

$ACLList | FT -AutoSize

Write-Host "Output logged to: $FP"

Posted 8 years ago 11721 views

Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ