List of Users with DSACL elements that Contains "Deny"

This topic contains 4 replies, has 3 voices, and was last updated by  Rick 7 months ago.

  • Author
  • #82489

    James Thompson

    Hello I could really use help from the users.
    I need to convert a pipeline command to an actual powershell script

    My pipeline

    Get-ADUser UserName | ForEach { DSACLS $_.DistinguishedName } | Where {$_.Contains("Deny")}

    What I need is a script that will result in a CSV file with the information of EVERY user that has passes the WHERE clause.

    Could really use help on this.


  • #82561

    adi dumitras


    You don't need a script to do what you want. Just add the the pipeline a Get-ADUser in case you get the samaccountname back from the where. After that use an Export-Csv.

  • #82564


    You don't need DSACL for this. PowerShell can do it.

    (get-acl (Get-ADOrganizationalUnit -filter *).distinguishedname).access | ? {$ _.accessControlType –eq "Deny"} | Export-csv C:\denied.csv -notypeinformation
    • #82613

      James Thompson

      Rick —
      This pipeline did not work at all

      get-acl : Cannot find path 'OU=Microsoft Exchange Security Groups,DC=prog1s,DC=com' because it does not exist.
      At line:1 char:2
      + (get-acl (Get-ADOrganizationalUnit -filter *).distinguishedname).access | ? {$ _ ...
      +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
          + FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
  • #82616


    Sorry, as I said I didn't get a chance to test it. I changed it up a bit and tested the code below and it's working for me.

    Get-ADOrganizationalUnit -Filter * | % {(Get-ACL "AD:$($_.distinguishedname)").access} | ? {$ _.accessControlType –eq "Deny"} | | Export-csv C:\denied.csv -notypeinformation

You must be logged in to reply to this topic.