My organization has a special AD group - "PasswordAdmins" - that's allowed to perform password resets for users. They have the "Change Password" and "Reset Password" permissions set to allow. The problem is, quite a few user objects have been moved and/or changed so that "PasswordAdmins" no longer has that permission.
I've been asked to track down those objects.
So I've output a full list of all user objects in the domain with
$userDNs = get-aduser -filter * -SearchBase "OU=OrgUsers,DC=Domain,DC=Com" | select distinguishedname
and then used a foreach loop to apply the appropriate formatting so I can use get-acl on each username:
foreach ($userDN in $userDNs) { $user_AD = "AD:\" + $userDN.distinguishedname $user_ACL = get-acl $user_ad ... }
So now I want to find each object that doesn't have "PasswordAdmins" on the ACL, so I've done something like this:
$PasswordAdmins = $user_acl.access | ? {$_.identityreference -eq "Domain\PasswordAdmins"}
Figuring that if $PasswordAdmins is $null, that's one for my list.
Trouble is, I do an "if $PasswordAdmins -eq $null" and it comes back empty
What am I doing wrong? How could I be doing this better?
T