Get User ACL inheritance settings (SDHolder)

Welcome Forums General PowerShell Q&A Get User ACL inheritance settings (SDHolder)

Viewing 3 reply threads
  • Author
    Posts
    • #281570
      Participant
      Topics: 9
      Replies: 6
      Points: 129
      Rank: Participant

      Hello,

      I need to find users in specific ou’s and of that users find out if they are protected accounts, where the SDholder groups are present , the “enable inheritance” setting (under  security-advanced,enable inheritance ) and if not it needs to be restored to their ACL-Default .

      I create a $ for tghe users with the admincount set to 1.
      When I try to find out if the NTSecurity settings are Disabled powershell ask me to the property.
      I have no clue what kind of property is missing at this point…

      Hopefully the answer can help me understand this :

      Powershell returns a “error”:

      thanx in advance

    • #281576
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

      Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

      Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.

    • #281743
      Participant
      Topics: 9
      Replies: 6
      Points: 129
      Rank: Participant

      Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

      <link rel=”stylesheet” type=”text/css” href=”https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/themes/powershell-ise/powershell-ise.css”&gt;
      <link rel=”stylesheet” type=”text/css” href=”https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/fonts/liberation-mono.css”&gt;

      Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

      Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.

      @Rob Simmers,
      Thanks a lot..
      It worked really well.

      Maybe you also have a good idea, how I get just the SDholder groups as a output..?
      I use :

      to find the ACL groups, however I struggle by getting just the 4 SDholder groups.

      grtz

      Pieter

    • #281813
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      It should be a simple where clause. This example is filtering out identities like ‘admin’:

      • This reply was modified 3 weeks, 6 days ago by Rob Simmers.
Viewing 3 reply threads
  • You must be logged in to reply to this topic.