-1

I'm currently using the Quest ActiveRoles Management snap-in to determine whether the user running the script has access to perform various operations within our Active Directory domain. We delegate access using groups, so I'm not checking to see if the user has been explicitly granted access; I'm only checking the user's group membership to determine if the user has access. It works perfectly, but I'm wondering if there is a simpler (and more efficient) way of doing this (without buying something). I've provided a description below of each operation and the code I'm using. I appreciate any constructive advice you can provide. Thanks!

# Check for "write member" access to AD group ($shareReadGroup)
$shareReadGroup = "<AD group name>"
$shareReadGroup_SecurityMask = Get-QADObject $shareReadGroup -SecurityMask Dacl
$shareReadGroup_WriteMember_Groups = ($shareReadGroup_SecurityMask | Get-QADPermission -Rights WriteProperty -UseExtendedMatch -Inherited -SchemaDefault -Property ("member")).Account | Where-Object {$_.Type -eq "group"}
$shareReadGroup_WriteMember_GroupMembers = $shareReadGroup_WriteMember_Groups | Get-QADGroupMember -Indirect
$shareReadGroup_WriteMember_AccessGranted = $shareReadGroup_WriteMember_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "create group" access for AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_CreateGroup_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights CreateChild -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_CreateGroup_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_CreateGroup_AccessGranted = $readGroupOU_CreateGroup_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}

# Check for "write description, write member" access for group objects within AD OU ($readGroupOU)
$readGroupOU = "<DN of AD OU>"
$readGroupOU_SecurityMask = Get-QADObject $readGroupOU -SecurityMask Dacl
$readGroupOU_ManageGroups_Groups = ($readGroupOU_SecurityMask | Get-QADPermission -Rights WriteProperty -ChildType Group -UseExtendedMatch -Inherited -SchemaDefault -Property ("description","member")).Account | Where-Object {$_.Type -eq "group"}
$readGroupOU_ManageGroups_GroupMembers = $readGroupOU_CreateGroup_Groups | Get-QADGroupMember -Indirect
$readGroupOU_ManageGroups_AccessGranted = $readGroupOU_ManageGroups_GroupMembers | Where-Object {$_.sAMAccountName -eq $userRunningThisScript}
Greg
  • 1
  • 1
  • 2
  • Well, you could use the free AD Cmdlets provided by microsoft. – EBGreen Oct 12 '15 at 20:00
  • I use those quite extensively, but I haven't found any sort of equivalent to Get-QADPermission. If there is some way to do that with the ActiveDirectory module, please let me know. Thanks. – Greg Oct 12 '15 at 20:09
  • 1
    Get-acl works with the DistinguishedName for an OU. – EBGreen Oct 12 '15 at 20:25
  • I looked at Get-Acl, but having to process the ObjectTypes is considerably more complex than using the human-readable Get-QADPermission command. Additionally, I'd have to check not only for that specific right but for more generic rights that would also give that level of access. – Greg Oct 12 '15 at 20:33

1 Answers1

0

I ended up writing a function to simplify the permissions checks and make it easier for everyone to understand. Here is the code if anyone is interested.

function Confirm-UserActiveDirectoryAccess {
    <#
        .SYNOPSIS
            Confirm that a user has the specified access to an AD object
        .DESCRIPTION
            This function simplifies the complex operation of determining whether a given user
            has a given level of access to an Active Directory object.  It assumes that all access
            rights should be considered, including inherited and schema default rights.
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject TestGroup -Rights WriteProperty -Property member
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -User TestUser -ADobject OU=TestOU,DC=domain,DC=local -Rights CreateChild -ChildType Group
        .EXAMPLE
            Confirm-UserActiveDirectoryAccess -ADobject OU=TestOU,DC=domain,DC=local -Rights WriteProperty -ChildType Group -Property description
        .PARAMETER User
            The username of the user whose access you wish to check.
            Defaults to the username of the account running the PowerShell session if not specified.
        .PARAMETER ADobject
            The DN, SID, GUID, UPN, or Domain\Name of the directory object you wish to check against.
        .PARAMETER Rights
            The rights you wish to check for (ReadProperty, WriteProperty, CreateChild, etc.).
            Refer to the -Rights property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER ChildType
            Specify the child type if needing to determine permissions to children of an AD object (Group, User, Computer, etc.).
            Refer to the -ChildType property of the Get-QADPermission cmdlet for valid values.
        .PARAMETER Property
            The attribute of the AD object you wish to verify access to.
            These are the standard LDAP attribute names for a given object (sAMAccountName, member, ipPhone, etc.).
    #>
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$False)]
        [string]$User = [Environment]::UserName,

        [Parameter(Mandatory=$True,
            HelpMessage='Specify the DN, SID, GUID, UPN or Domain\Name of the directory object you want to find.')]
        [string]$ADobject,

        [Parameter(Mandatory=$True,
            HelpMessage='Exit this command and enter "Get-Help Get-QADPermission -Full", then refer to the -Rights parameter for valid values.')]
        [string]$Rights,

        [Parameter(Mandatory=$False)]
        [string]$ChildType,

        [Parameter(Mandatory=$False)]
        [string]$Property
    )

    $GetQADPermissionParams = @{
        Rights = $Rights;
        UseExtendedMatch = $True;
        Inherited = $True;
        SchemaDefault = $True;
    }

    If ($ChildType) {
        $GetQADPermissionParams += @{
            ChildType = $ChildType;
        }
    }

    If ($Property) {
        $GetQADPermissionParams += @{
            Property = $Property;
        }
    }

    $accountsWithAccess = (Get-QADObject -Identity $ADobject -SecurityMask Dacl | Get-QADPermission @GetQADPermissionParams).Account
    $userAccessGranted = $accountsWithAccess | Where-Object {$_.sAMAccountName -eq $User}
    $groupAccessGranted = $accountsWithAccess | Where-Object {$_.Type -eq "group"} | Get-QADGroupMember -Indirect | Where-Object {$_.sAMAccountName -eq $User}

    If ($userAccessGranted -or $groupAccessGranted) { Return $True }
}

$shareReadGroup_WriteMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $shareReadGroup -Rights WriteProperty -Property member
$readGroupOU_CreateGroup = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights CreateChild -ChildType Group
$readGroupOU_WriteGroupDescription = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property description
$readGroupOU_WriteGroupMember = Confirm-UserActiveDirectoryAccess -User $userRunningThisScript -ADobject $readGroupOU -Rights WriteProperty -ChildType Group -Property member
Greg
  • 1
  • 1
  • 2