Home > Enterprise >  Permissions report for AD groups
Permissions report for AD groups

Time:02-24

I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.

So far I've been able to select the groups that I want by using

Get-ADUser -Identity groupname

And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.

CodePudding user response:

I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).

You can use Get-Acl (ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use the AD: drive, along with the distinguished name of the AD object. For example:

(Get-Acl "AD:CN=SomeGroup,OU=Groups,DC=example,DC=com").Access

If you don't know the distinguished name, you can get that from your call to Get-ADGroup (I assume you meant to use Get-ADGroup, not Get-ADUser like you put in your question).

$group = Get-ADGroup groupname
(Get-Acl "AD:$($group.distinguishedName)").Access

More reading here: Understanding Get-ACL and AD Drive Output

  • Related