Script to check and delete all users delegated permission (PowerShell)

Introduction

The script helps us to check and delete all delegated permission of the user..

Scenarios

As we know, there isn't a delete delegated permission wizard in Windows Server. If we want to delete all delegated permission and restore users' permission to default, we have to use ADUC and other tools such as Dsrevoke to check and delete each user's permission manually. Once we have the script, we could reduce a lot of work.

Script

This script contains two advanced functions: Remove-OSCDelegatedPermissions and Get-OSCDelegatedPermissions. You can use this script in the following ways:

Method 1:

Download the script and open the script file together with Notepad or any other script editor.
Scroll down to the end of the script file, and then add the example command which you want to run.
Save the file then run the script in PowerShell.

Method 2:

Rename scriptname.ps1 to scriptname.psm1 (PowerShell Module file)
Run the following Import-Module cmdlet to import this module file.
Import-Module filepath\scriptname.psm1

Here are some code snippets for your references. To get the complete script sample, please click the download button at the beginning of this page.

PowerShell

Edit|Remove

If($ADobj)
{
    $AdDn = $Adobj.DistinguishedName
    If($type -eq "container")
    {    
        #Set the created container acl to the specified container
        Set-Acl -Path "AD:\$AdDn" -AclObject $CnAcl
    }
    If($type -eq "organizationalUnit")
    {
        #Set the created OU acl to the specified container
        Set-Acl -Path "AD:\$AdDn" -AclObject $OuAcl
    }
    Write-Host "Remove deletgated permissions from $Name successfully."
}
Else
{
    Write-Warning "There is no container or organizationalUnit named '$name'."
}

If($ADobj) 
{ 
    $AdDn = $Adobj.DistinguishedName 
    If($type -eq "container") 
    {     
        #Set the created container acl to the specified container 
        Set-Acl -Path "AD:\$AdDn" -AclObject $CnAcl 
    } 
    If($type -eq "organizationalUnit") 
    { 
        #Set the created OU acl to the specified container 
        Set-Acl -Path "AD:\$AdDn" -AclObject $OuAcl 
    } 
    Write-Host "Remove deletgated permissions from $Name successfully."} 
Else 
{ 
    Write-Warning "There is no container or organizationalUnit named '$name'."}

Examples

Example 1: Get delegated permissions on "TestOu".
Command: Get-OSCDelegatedPermissions -Name "TestOu".
Screenshot:

Example 2: Remove delegated permissions on "TestOu".
Command: Remove-OSCDelegatedPermissions -Name "TestOu".
Screenshot:

Prerequisite

Windows Server 2008R2 or higher version