Pages

Tuesday, May 19, 2015

How to Export Active Directory Permissions


I want to export the Active Directory permissions using Get-ADPermission Command let as follows:

$orgunit = "Ou=Groups,dc=example,dc=edu"
$filename="Groups-Permissions.csv"



Get-AdObject -Filter 'Name -like "*"' -SearchBase $orgunit -SearchScope "Subtree" -Properties CanonicalName | Select @{Name="Identity";Expression={($_.CanonicalName)}} | Get-ADPermission | Select @{ Name='AccessRights';Expression={[string]::join(",", ($_.AccessRights))}},@{ Name='ExtendedRights';Expression={[string]::join(",", ($_.ExtendedRights))}},@{ Name='ChildObjectTypes';Expression={[string]::join(",", ($_.ChildObjectTypes))}},InheritedObjectType,@{ Name='Properties';Expression={[string]::join(",", ($_.Properties))}},Deny,InheritanceType,User,Identity,IsInherited,IsValid |  Export-csv $filename

In the above command let I have used the following command lets to extract the ad permissions from ou=groups container:

1. Get-ADObject
2. Select
3. Get-ADPermission
4. Select
5. Export-CSV

1. Get-ADObject

 Above command lets being used to retrieve all the objects under the ou=groups container.

 Get-AdObject -Filter 'Name -like "*"' -SearchBase $orgunit -SearchScope "Subtree" -Properties CanonicalName

 I have selected the property called CanonicalName, It contains the Identity of the AD Object. For example:

DistinguishedName: ou=Groups,dc=example,dc=edu
CanonicalName : example.edu/Groups

2. Select

  Select @{Name="Identity";Expression={($_.CanonicalName)}}

 Mapping the  CanonicalName to Identity attribute because Get-AdPermission command lets expecting the Identity value to retrieve the AD Permissions from the object.

3. Get-ADPermission

Retrieving all the permission in the container based on the Identity attribute from the step 2.

Get-ADPermission


4. Select


It is being used to select the attributes from the Get-ADPermission command let object.

Select @{ Name='AccessRights';Expression={[string]::join(",", ($_.AccessRights))}},@{ Name='ExtendedRights';Expression={[string]::join(",", ($_.ExtendedRights))}},@{ Name='ChildObjectTypes';Expression={[string]::join(",", ($_.ChildObjectTypes))}},InheritedObjectType,@{ Name='Properties';Expression={[string]::join(",", ($_.Properties))}},Deny,InheritanceType,User,Identity,IsInherited,IsValid

5. Export-CSV 

Exporting the selected attributes to a csv file:

 Export-csv $filename
Posted by at No comments:
Subscribe to: Posts (Atom)