PowerShell Script to find AD users with adminCount > 0

Question

I've recently discovered the "adminSDHolder" feature of Active Directory. I need a quick way to identify all users who will be affected by it, namely a script to dump the user accounts.

MDMarra · Accepted Answer · 2013-06-06T11:41:00.403

19

You can use this powershell script to return the users that have an adminCount greater than 0, which means that they are affected by the adminSDHolder feature. You'll need the AD Module for PowerShell installed, which comes with RSAT.

import-module activedirectory

get-aduser -Filter {admincount -gt 0} -Properties adminCount -ResultSetSize $null

edited Jun 06 '13 at 11:41

answered Aug 24 '11 at 18:26

MDMarra

100,734
32
197
329

4

Here's a cleaner method of doing the same thing: get-aduser -filter {admincount -gt 0} -Properties admincount -ResultSetSize $null – jbsmith Aug 24 '11 at 20:18
also you could create a dsquery filter to do the same thing – tony roth Aug 25 '11 at 00:00
3

@tony - You could, but the OP asked specifically for a PowerShell script. – MDMarra Aug 25 '11 at 02:53

score 4 · Answer 2 · edited Sep 27 '12 at 23:22

4

([adsisearcher]"(AdminCount=1)").findall()

edited Sep 27 '12 at 23:22

Mark Henderson

68,823
31
180
259

answered Sep 27 '12 at 05:07

FSailer

41
1

score 2 · Answer 3 · answered Oct 11 '13 at 01:43

This is a variant on the excellent answer by MDMarra.

Import-Module ActiveDirectory
Get-ADUser -LDAPFilter "(admincount>0)" -Properties adminCount

This uses -LDAPFilter instead of -Filter. Some people prefer to use the LDAP filter syntax because it is portable across many different types of applications.

Note that Filter and LDAPFilter have similar performance characteristics since the filter is executed on the server side. When querying large directories, always try to do filtering directly like this, rather than using Where-Object which would cause all objects to be downloaded before filtering. This is described in detail on the TechNet article Filter vs. Where-Object.

I am frequent user of `-LDAPFilter` so thank you for mentioning it and clarifying it's benefits. — jscott, Oct 11 '13 at 01:59

score -2 · Answer 4 · edited Sep 25 '12 at 23:41

## Script name = Set-IheritablePermissionOnAllUsers.ps1
##
## sets the "Allow inheritable permissions from parent to propagate to this
##object"check box
# Contains DN of users
#
#$users = Get-Content C:\C:\Navdeep_DoNotDelete\variables\users.txt

Get-ADgroup -LDAPFilter “(admincount=1)” | select name

$users = Get-ADuser -LDAPFilter “(admincount=1)”

##Get-QADUser -SizeLimit 0 | Select-Object Name,@{n=’IncludeInheritablePermissions’;e={!$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}} | Where {!$_.IncludeInheritablePermissions}

ForEach($user in $users)
{
# Binding the users to DS
$ou = [ADSI]("LDAP://" + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesProtected())
{
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host "$user is now inherting permissions";
}
else
{
Write-Host "$User Inheritable Permission already set"
}
}

This *changes permissions* which is not what the OP was looking for. Also, changing permissions on these objects won't do a whole lot. Next time the AdminSDHolder process runs, it will reset their permissions. — MDMarra, Jun 06 '13 at 11:49
Old, but worth noting that this is useful IF the op's next step was to undo the adminCount flag on specific accounts AND THEN re-enable ACL inheritance for the account. — SamErde, Feb 09 '23 at 19:09

PowerShell Script to find AD users with adminCount > 0

4 Answers4