获取特定域的OU权限

我发现了一个脚本，它为您提供了运行该脚本的域的OU权限。我想从一个域使用相同的脚本，但扫描我指定的其他域。

我认为问题出在$schemaIDGUID = @{}上当运行时，它总是针对脚本运行的域，该域与我要运行脚本的域不同。这是我修改的脚本，以获取特定的域。

$schemaIDGUID = @{}
$domain = "My specific domain name"

$report = @()
$schemaIDGUID = @{}
$ErrorActionPreference = 'SilentlyContinue'
Get-ADObject -Server $domain -SearchBase (Get-ADRootDSE -Server $domain).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE -Server $domain).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}
$ErrorActionPreference = 'Continue'
$OUs  = @(Get-ADDomain -Server $domain | Select-Object -ExpandProperty DistinguishedName)
$OUs += Get-ADOrganizationalUnit -Server $domain -Filter * | Select-Object -ExpandProperty DistinguishedName
$OUs += Get-ADObject -Server $domain  -SearchBase (Get-ADDomain -Server $domain).DistinguishedName -SearchScope OneLevel -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName

ForEach ($OU in $OUs) {
$report += Get-Acl -Path "AD:$OU" |
Select-Object -ExpandProperty Access | 
Select-Object @{name='organizationalUnit';expression={$OU}}, `
@{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `
@{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `
*
}

$report | Export-Csv -Path ".$domain.OU_Permissions.csv" -NoTypeInformation
#Start-Process ".$domain.OU_Permissions.csv"
break

$report |
Where-Object {-not $_.IsInherited} |
Select-Object IdentityReference, OrganizationalUnit -Unique |
Sort-Object IdentityReference
$filter = Read-Host "Enter the user or group name to search in OU permissions"
$report |
Where-Object {$_.IdentityReference -like "*$filter*"} |
Select-Object IdentityReference, OrganizationalUnit, IsInherited -Unique |
Sort-Object IdentityReference

您的问题与$schemaIDGUID变量无关。

问题是这条线：

$report += Get-Acl -Path "AD:$OU"

AD:驱动器在模块导入时映射到主域中DC上的ADWS，因此您需要显式创建另一个映射到目标域的驱动器：

$domain = "other.domain.tld"
# discover naming context + find a DC to query
$defaultNC = (Get-ADRootDSE -Server $domain).defaultNamingContext
$DC = Get-ADDomainController -Server $domain
# map new ADTemp: drive
New-PSDrive -Name ADTemp -PSProvider ActiveDirectory -Root $defaultNC -Server $DC

对于脚本的其余部分，您唯一需要更改的是前面提到的行：

$report += Get-Acl -Path "ADTemp:$OU"

相关内容

最新更新

热门标签：