I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.
So far I've been able to select the groups that I want by using
Get-ADUser -Identity groupname
And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.
CodePudding user response:
I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).
You can use Get-Acl
(ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use the AD:
drive, along with the distinguished name of the AD object. For example:
(Get-Acl "AD:CN=SomeGroup,OU=Groups,DC=example,DC=com").Access
If you don't know the distinguished name, you can get that from your call to Get-ADGroup
(I assume you meant to use Get-ADGroup
, not Get-ADUser
like you put in your question).
$group = Get-ADGroup groupname
(Get-Acl "AD:$($group.distinguishedName)").Access
More reading here: Understanding Get-ACL and AD Drive Output