Share via

Powershell Script to export permissions on entire Domain or OU

raj a 316 Reputation points
2024-05-19T16:33:46.2633333+00:00

Hello,

I'm seeking assistance with a PowerShell script to export permissions within Active Directory, either for the entire domain or for a specific Organizational Unit (OU), and save the output in CSV format.

Could someone kindly provide such a script?

Thank you in advance.

Regards,

Raj

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,015 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,418 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 14,580 Reputation points MVP
    2024-05-19T18:04:58.97+00:00

    Try the following 

    Import-Module ActiveDirectory

function Get-ADPermissions {
    param (
        [string]$TargetDN
    )
    $acl = Get-ACL -Path "AD:$TargetDN"
    $permissions = $acl.Access | ForEach-Object {
        [PSCustomObject]@{
            IdentityReference = $_.IdentityReference
            ActiveDirectoryRights = $_.ActiveDirectoryRights
            AccessControlType = $_.AccessControlType
            ObjectType = $_.ObjectType
            InheritanceType = $_.InheritanceType
            InheritedObjectType = $_.InheritedObjectType
        }
    }
    return $permissions
}

$targetDN = "DC=yourdomain,DC=com" # For the entire domain
# $targetDN = "OU=YourOU,DC=yourdomain,DC=com" # For a specific OU

if ($targetDN -match "^DC=") {
    $ouList = Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
} else {
    $ouList = @($targetDN)
}

foreach ($ou in $ouList) {
    $permissions = Get-ADPermissions -TargetDN $ou
    foreach ($perm in $permissions) {
        $result += [PSCustomObject]@{
            OU = $ou
            IdentityReference = $perm.IdentityReference
            ActiveDirectoryRights = $perm.ActiveDirectoryRights
            AccessControlType = $perm.AccessControlType
            ObjectType = $perm.ObjectType
            InheritanceType = $perm.InheritanceType
            InheritedObjectType = $perm.InheritedObjectType
        }
    }
}

$result | Export-Csv -Path "C:\ADPermissions.csv" -NoTypeInformation

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments