applying conditionals to output of get-ACL on a user object

My organization has a special AD group - "PasswordAdmins" - that's allowed to perform password resets for users. They have the "Change Password" and "Reset Password" permissions set to allow. The problem is, quite a few user objects have been moved and/or changed so that "PasswordAdmins" no longer has that permission.

I've been asked to track down those objects.

So I've output a full list of all user objects in the domain with 

$userDNs = get-aduser -filter * -SearchBase "OU=OrgUsers,DC=Domain,DC=Com" | select distinguishedname

and then used a foreach loop to apply the appropriate formatting so I can use get-acl on each username:

foreach ($userDN in $userDNs)
    {
    $user_AD = "AD:\" + $userDN.distinguishedname
    $user_ACL = get-acl $user_ad



... }

So now I want to find each object that doesn't have "PasswordAdmins" on the ACL, so I've done something like this:

    $PasswordAdmins = $user_acl.access | ? {$_.identityreference -eq "Domain\PasswordAdmins"}

Figuring that if $PasswordAdmins is $null, that's one for my list.

Trouble is, I do an "if $PasswordAdmins -eq $null" and it comes back empty

What am I doing wrong? How could I be doing this better?

T

September 2nd, 2015 5:05pm

Chewing through an access list on every user looking for a user name reference is going to be slow proposition.

You can speed that up considerably is you use the sddl string instead of the Access list:

$PWAdmins = (Get-ADGroup 'PasswordAdmins').SID.value

foreach ($userDN in $userDNs)
    {
    $user_AD = "AD:\" + $userDN.distinguishedname
    $user_ACL = (get-acl $user_ad).sddl
    if ($user_ACL -notlike '*$PWAdmins*')
      { $userDN }
    }

The sddl is a single string that contains all the information in the access list, but all the identity references are SIDs.  That means that if the SID for the PasswordAdmins group does not appear in the sddl string for that user, then there is not an ACE for that group in the access list.

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 5:34pm

Give permissions at the container level and apply to all user objects in the container (OU). This way you do not need to set each user.  Just be sure all user OUs are set.

September 2nd, 2015 6:17pm
That was my plan, but management wants a list of who doesn't have it right now ... I think they're looking to blame someone.
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 8:51am
So ... -notlike is not giving me clean results. There are 8733 users in the searchbase I ran that code on, and it returned 8733 names. The vast majority of them have that group on their ACL, so should not be returned, right?
September 3rd, 2015 8:57am
So ... -notlike is not giving me clean results. There are 8733 users in the searchbase I ran that code on, and it returned 8733 names. The vast majority of them have that group on their ACL, so should not be return
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 9:02am

So after asking around, someone added the group to the OU's ACL and I've been directed to my next scripting task ... 

Thanks!

September 3rd, 2015 9:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics