Get User ACL inheritance settings (SDHolder)

[PBA121137 Participant Topics: 9 Replies: 6 Points: 129Rank: Participant]

Hello,

I need to find users in specific ou’s and of that users find out if they are protected accounts, where the SDholder groups are present , the “enable inheritance” setting (under  security-advanced,enable inheritance ) and if not it needs to be restored to their ACL-Default .

I create a $ for tghe users with the admincount set to 1.
When I try to find out if the NTSecurity settings are Disabled powershell ask me to the property.
I have no clue what kind of property is missing at this point…

Hopefully the answer can help me understand this :

PowerShell

$Ou1 = path.... $Ou2 = path.... $Ou3 = path.... # The different OU's are put together in 1 Variabele $AdminOus = @() $AdminOus += $OUpathP01 $AdminOus += $OUpathP02 $AdminOus += $OUpathP03 # 1. Get the users that are in the ou's and place them in a Variable called $Users $Users = @() $Users += Get-ADUser -Filter * -SearchBase $OUpathP01 $Users += Get-ADUser -Filter * -SearchBase $OUpathP02 $Users += Get-ADUser -Filter * -SearchBase $OUpathP03 #Find Adminaccounts with admincount property = 1, and no SDHolder groups in ACL Foreach($user in $Users){ get-aduser $user -properties * |Where -Property admincount -EQ 1 |select -Property samaccountname, admincount |export-csv $exportpath -Append } #Find protected accounts in searchscope with inheritance disabled $Admincount = import-csv $exportpath.sa Foreach ($sam in $Admincount.samaccountname){ Get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where {($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\inheritance.csv" }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

$Ou1 = path.... $Ou2 = path.... $Ou3 = path....   # The different OU's are put together in 1 Variabele $AdminOus = @() $AdminOus += $OUpathP01 $AdminOus += $OUpathP02 $AdminOus += $OUpathP03     # 1. Get the users that are in the ou's and place them in a Variable called $Users $Users = @() $Users += Get-ADUser -Filter * -SearchBase $OUpathP01 $Users += Get-ADUser -Filter * -SearchBase $OUpathP02 $Users += Get-ADUser -Filter * -SearchBase $OUpathP03   #Find Adminaccounts with admincount property = 1, and no SDHolder groups in ACL Foreach($user in $Users){ get-aduser $user -properties * |Where -Property admincount -EQ 1 |select -Property samaccountname, admincount |export-csv $exportpath -Append          }   #Find protected accounts in searchscope with inheritance disabled $Admincount = import-csv $exportpath.sa   Foreach ($sam in $Admincount.samaccountname){ Get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where {($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\inheritance.csv"     }

Powershell returns a “error”:

PowerShell

get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where {($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\inheritance.csv" } cmdlet Where-Object at command pipeline position 2 Supply values for the following parameters: Property:

1 2 3 4 5 6

get-aduser -searchbase $Sam -filter * -properties ntsecuritydescriptor | where {($_.ntsecuritydescriptor.areaccessrulesprotected -eq $true) } |export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\inheritance.csv"     } cmdlet Where-Object at command pipeline position 2 Supply values for the following parameters: Property:

thanx in advance

[Rob Simmers]

Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

PowerShell

$adminOus = 'OU=Path1,DC=mydomain,DC=com', 'OU=Path1,DC=mydomain,DC=com', 'OU=Path1,DC=mydomain,DC=com' $users = foreach ($ou in $adminOus) { Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor | Select-Object -Property *, @{Name='AreaAccessRulesProtected';Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}} } $users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}

1 2 3 4 5 6 7 8 9 10 11 12

$adminOus = 'OU=Path1,DC=mydomain,DC=com',             'OU=Path1,DC=mydomain,DC=com',             'OU=Path1,DC=mydomain,DC=com'   $users = foreach ($ou in $adminOus) {     Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor |     Select-Object -Property *,                             @{Name='AreaAccessRulesProtected';Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}} }     $users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}

Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.

• This reply was modified 4 weeks ago by Rob Simmers.

[PBA121137 Participant Topics: 9 Replies: 6 Points: 129Rank: Participant]

Rob Simmers wrote:

Recommend a different approach. You’re getting the users 3 times from the same place with different properties. Here is something to try:

<link rel=”stylesheet” type=”text/css” href=”https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/themes/powershell-ise/powershell-ise.css”&gt;
<link rel=”stylesheet” type=”text/css” href=”https://powershell.org/wp-content/plugins/urvanov-syntax-highlighter/fonts/liberation-mono.css”&gt;

PowerShell

<textarea class=”urvanov-syntax-highlighter-plain print-no” data-settings=”dblclick” readonly=”” style=”tab-size: 4; font-size: 14px !important; line-height: 18px !important; z-index: 0; opacity: 0;”>$adminOus = ‘OU=Path1,DC=mydomain,DC=com’,
‘OU=Path1,DC=mydomain,DC=com’,
‘OU=Path1,DC=mydomain,DC=com’

$users = foreach ($ou in $adminOus) {
Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor |
Select-Object -Property *,
@{Name=’AreaAccessRulesProtected’;Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}}
}

$users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}</textarea>

1 2 3 4 5 6 7 8 9 10 11 12

$adminOus = ‘OU=Path1,DC=mydomain,DC=com’, ‘OU=Path1,DC=mydomain,DC=com’, ‘OU=Path1,DC=mydomain,DC=com’ $users = foreach ($ou in $adminOus) { Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor | Select-Object -Property *, @{Name=‘AreaAccessRulesProtected’;Expression={$_.ntsecuritydescriptor.areaccessrulesprotected}} } $users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true}

Don’t have AD handy to test the parse of ntsecuritydesciptor, but even if the calculated expression doesn’t get you a boolean true\false, you still have it for the user and can attempt to re-parse it.

Edit: Actually looking at it, most likely the issue you is the query for the ntsecuritydescriptor is returning null and you are piping it to Export, but it’s NULL, hence no properties to export.

@Rob Simmers,
Thanks a lot..
It worked really well.

Maybe you also have a good idea, how I get just the SDholder groups as a output..?
I use :

PowerShell

ACL =(Get-ACL "AD:$((Get-ADUser adpiebak1d).distinguishedname)").access

1	ACL =(Get-ACL "AD:$((Get-ADUser adpiebak1d).distinguishedname)").access

to find the ACL groups, however I struggle by getting just the 4 SDholder groups.

grtz

Pieter

[Rob Simmers]

It should be a simple where clause. This example is filtering out identities like ‘admin’:

PowerShell

PS C:\Users\rasim> c:\Users\rasim\Desktop\temp.ps1 FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : None PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : Modify, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users IsInherited : True InheritanceFlags : None PropagationFlags : None PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access | Where{$_.IdentityReference -like '*admin*'} FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : None PropagationFlags : None

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

PS C:\Users\rasim> c:\Users\rasim\Desktop\temp.ps1   FileSystemRights  : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited       : True InheritanceFlags  : None PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access   FileSystemRights  : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited       : True InheritanceFlags  : None PropagationFlags  : None   FileSystemRights  : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM         IsInherited       : True InheritanceFlags  : None PropagationFlags  : None   FileSystemRights  : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited       : True InheritanceFlags  : None PropagationFlags  : None   FileSystemRights  : Modify, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users IsInherited       : True InheritanceFlags  : None PropagationFlags  : None     PS C:\Users\rasim> (Get-ACL -Path C:\Scripts\file1.txt).Access | Where{$_.IdentityReference -like '*admin*'}   FileSystemRights  : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited       : True InheritanceFlags  : None PropagationFlags  : None

• This reply was modified 3 weeks, 6 days ago by Rob Simmers.

[Author]

Posts