Checking For Protected ACLs in Active Directory (PowerShell)
Introduction
This Script demo shows how to get protected ACL from a specified base scope.
Scenarios
Exchange Server setup grants permissions to various groups at various places in the domain and configuration contexts of Active Directory. Since Exchange relies on these permissions in order for everything to work properly, from time to time we see cases
where something is not working, and we eventually track it down to the fact that an object has been set to NOT inherit permissions from its parent. This is called a protected ACL, because it is protected from inheriting permissions from the parent.
Script
This script contains one advanced function: Get-OSCProtectedACLObject. You can use this script in the following ways:
Method 1:
- Download the script and open the script file together with Notepad or any other script editor.
- Scroll down to the end of the script file, and then add the example command which you want to run.
- Save the file then run the script in PowerShell.
Method 2:
- Rename scriptname.ps1 to scriptname.psm1 (PowerShell Module file)
- Run the following Import-Module cmdlet to import this module file.
Import-Module filepath\scriptname.psm1
Here are some code snippets for your references.
PowerShell
Edit|Remove
powershell
if ($results.Count -gt 0)
{
foreach ($result in $results)
{
$entry = $result.GetDirectoryEntry()
if ($entry.ObjectSecurity.AreAccessRulesProtected)
{
("Inheritance disabled: " + $entry.distinguishedName)
}
}
}
if ($results.Count -gt 0) { foreach ($result in $results) { $entry = $result.GetDirectoryEntry() if ($entry.ObjectSecurity.AreAccessRulesProtected) { ("Inheritance disabled: " + $entry.distinguishedName) }}}
Examples
Example 1: Get protected objects from base scope "LDAP://OU=myou,OU=TestOu,DC=test7,DC=com".
Command: Get-OSCProtectedACLObject -BaseDN "LDAP://OU=myou,OU=TestOu,DC=test7,DC=com"
Screenshot:
Command: Get-OSCProtectedACLObject -BaseDN "LDAP://OU=myou,OU=TestOu,DC=test7,DC=com"
Screenshot:
Example 2: Recurse AD root and get protected objects.
Command: Get-OSCProtectedACLObject -Recurse
Screenshot:
Command: Get-OSCProtectedACLObject -Recurse
Screenshot:
Example 3: Recurse AD root and get protected objects which is a container.
Command: Get-OSCProtectedACLObject -Recurse -ContainersOnly
Screenshot:
Command: Get-OSCProtectedACLObject -Recurse -ContainersOnly
Screenshot:
Prerequisite
Windows Server 2008R2 or later version