Vista Forums - View Single Post

08-31-2008

Hello William,

Try this, it gets all AD objects where 'domain\Administrators' group has
full control.

$account = 'domain\Administrators'
Get-QADObject -sizeLimit 0 -SecurityMask DACL | Get-QADPermission -inherited
-schemaDefault -account $account -rights GenericAll

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

W> hi,
W>
W> i need to loop through all ad objects to find if a user has rights to
W> anything. the object could be user, ou, computer, or anything in AD.
W>
W> i am quite familiar with get-adpermission cmdlet and use it all the
W> time. however, it only accepts 1 DN. is there a way using powershell
W> to start at root of AD (or start at a specific DN) and loop through
W> all children and list rights a user has for everything below?
W>
W> thank you.
W>

08-31-2008	#4 (permalink)
Shay Levy [MVP] n/a posts	Re: loop through all ad objects Hello William, Try this, it gets all AD objects where 'domain\Administrators' group has full control. $account = 'domain\Administrators' Get-QADObject -sizeLimit 0 -SecurityMask DACL \| Get-QADPermission -inherited -schemaDefault -account $account -rights GenericAll --- Shay Levy Windows PowerShell MVP http://blogs.microsoft.co.il/blogs/ScriptFanatic W> hi, W> W> i need to loop through all ad objects to find if a user has rights to W> anything. the object could be user, ou, computer, or anything in AD. W> W> i am quite familiar with get-adpermission cmdlet and use it all the W> time. however, it only accepts 1 DN. is there a way using powershell W> to start at root of AD (or start at a specific DN) and loop through W> all children and list rights a user has for everything below? W> W> thank you. W>
My System Specs