How can I check what for permissions an AD-User have for an AD-Group?

0
votes

I want to check with PowerShell if a user have Active Directory permissions ex. read or write for a specific group.

I found a way with get-acl to show me some information about the group and the user, but I'm not sure if I can and how to work with that further.

2
powershellactive-directory
Does this help: stackoverflow.com/questions/55146121/…? Or this: stackoverflow.com/questions/5072996/… or this: stackoverflow.com/questions/46295416/… or....If not: Please edityour question and clarify if a user have Active Directory permissions for a specific group.Ocaso Protal
@OcasoProtal I though it was clear with "get-acl", sorry for that. I updated my question.Wurstfach404

2 Answers

0
votes

I think this may be what you're looking for

$user = get-aduser "username" -Properties memberof
$userGroups = $user.MemberOf | Get-ADGroup
$group = Get-ADGroup "group to check"
$group.DistinguishedName -in $userGroups.DistinguishedName
0
votes

If I understand you correctly, you want to check a specific user's AD rights over a specific group. Here's an example that will return all the individual rights assigned to a certain group.

Get-ADGroup "GroupToCheck" | Foreach-Object {
    foreach($dacl in Get-Acl AD:$($_.distinguishedname))
    {
        foreach($ace in $dacl.Access)
        {
            [PSCustomObject]@{
                "Group Name"          = $_.name
                "Group Owner"         = $dacl.owner
                ActiveDirectoryRights = $ace.ActiveDirectoryRights
                AccessControlType     = $ace.AccessControlType
                IdentityReference     = $ace.IdentityReference
            }
        }
    }
} -OutVariable AllRights

You could check if the user or a group the user is in has rights, group/filter the results by identity, etc.