Report for OU advanced security permissions

Question

The below code will return generic OU permissions

Import-Module ActiveDirectory
set-location AD:
$OUAcl = (Get-Acl 'OU=ParentOU,OU=ChildOU,DC=test,DC=test,DC=com').Access 
$OUAcl

However what I want to audit is the advanced security permissions. I can view this in the GUI, I just can't figure out how to script it to generate a report for every OU in my organization (or specific OU's depending on our needs).

To view in the GUI do this:

1. Open MMC and load the ADUC snapin
2. Enable View → Advanced Features
3. Right-click any OU, choose Properties
4. Choose the Security tab on the properties window
5. Click the Advanced button.
6. View all the users/groups that have permissions to that OU.

What I want is a report that can dump out every user and group that has access to the OU, and all of their advanced permissions (eg: anything in step 6 that has the box checkes whether it's allow or deny).

I found this site, but it doesn't get to the detail I need.

Is this possible through PowerShell?

Answer 1

I made a module a while back that I think does what you're looking for, which can be found here (try the version 4 download first). Then you can do something like this:

Get-ADOrganizationalUnit -Filter * | 
    Get-PacAccessControlEntry | 
    Export-Csv c:\ou_permissions.csv -NoTypeInformation

If you use version 3, the command would be 'Get-AccessControlEntry'. Version 3 is a script module, so you can open the files to see exactly what's going on and what it takes to translate the ACEs (which are more complicated that your normal filesystem/registry/service/etc ACE) into a more readable format. Version 4 is compiled, but you can find the source code here.

dsacls.exe can get this information, too, but you'd probably have to do some text parsing to get it in a friendlier format...