How to view security permissions for any object in Active Directory (AD)
Read on to know how to view AD user, group, or any other objects' permissions using PowerShell and how you can get it done easily with ADManager Plus.
Windows PowerShell
- Identify the domain where the object, for which the permissions are to be viewed, is located.
- Create and compile the script for viewing the permissions for the AD object. Execute the script in PowerShell.
- Sample script for changing the password setting to 'user must change password at next logon' for an AD user account:
Copied
$securityreport = @()
$schemaGUID = @{}
$ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaGUID=*)' -Properties name, schemaGUID | ForEach-Object {$schemaGUID.add([System.GUID]$_.schemaGUID,$_.name)} Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID | ForEach-Object {$schemaGUID.add([System.GUID]$_.rightsGUID,$_.name)} $ErrorActionPreference = 'Continue' # Get a list of AD objects. $AOs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) $AOs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName $AOs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree -LDAPFilter '(objectClass=*)' | Select-Object -ExpandProperty DistinguishedName ForEach ($AO in $AOs) { $securityreport += Get-Acl -Path "AD:\$AO" | Select-Object -ExpandProperty Access | Select-Object @{name='organizationalunit';expression={$AO}}, ` @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaGUID.Item($_.objectType)}}}, ` @{name='inheritedObjectTypeName';expression={$schemaGUID.Item($_.inheritedObjectType)}}, ` * } # Filter by single user and export to a CSV file. $User ='Username' $securityreport | Where-Object {$_.IdentityReference -like "*$User*"} | Select-Object IdentityReference, ActiveDirectoryRights, OrganizationalUnit, IsInherited -Unique | Export-Csv -Path "D:\report\permissions.csv" -NoTypeInformation
Click to copy entire script
ADManager Plus
- Navigate to Reports > Security Reports > AD objects accessible by Accounts.
- Select the Domain and the User Account(s) you wish to view the permissions for. You can even import this list from a CSV file. Click Apply.
Screenshot
» Start 30-day free trial
This report gives insights on the access permissions of an AD account.
Although viewing permissions for AD objects with native tools like PowerShell looks simple, it comes with a few limitations:
- The PowerShell script can be run only from the computers which have the Active Directory Domain Services role installed in them.
- In case any permissions for other AD objects is required, a new and complex script needs to be written.
- The syntax, parameters, and iterations need to be correct. A typo or incorrect syntax might be difficult to spot and rectify, especially when the script is long.
Reduce security risks by constantly monitoring AD permissions
It is important for IT admins to be able to fetch reports that will help them view and analyze the permissions over AD objects. Doing so helps them remove users from groups that grant them permissions which are not necessary for their day-to-day work.
ADManager Plus allows admins to fetch detailed permission reports with just a few mouse clicks from its web-based GUI console. It also has options for scheduling and automatically emailing the reports. Learn more about AD permissions reports here.
Gain complete control over NTFS permissions and file shares with purpose-built reports.
Get 30-day free trial.