Vista Tutorial - loop through all ad objects

hi,

i need to loop through all ad objects to find if a user has rights to
anything. the object could be user, ou, computer, or anything in AD.

i am quite familiar with get-adpermission cmdlet and use it all the time.
however, it only accepts 1 DN. is there a way using powershell to start at
root of AD (or start at a specific DN) and loop through all children and
list rights a user has for everything below?

thank you.

wholey smokes... that is quite a lot of parsing

Not sure about Get-ADPermission

But this works for me (using my Get-ADAcl.ps1 script from my blog)

Get-Qadobject -ldapFilter "Objectclass=*" -IncludedProperties 1.1 -size 0
| %{.\Get-ADACL.ps1 $_.dn}

Brandon Shell
---------------
Blog: http://www.bsonposh.com/
PSH Scripts Project: www.codeplex.com/psobject

W> hi,
W>
W> i need to loop through all ad objects to find if a user has rights to
W> anything. the object could be user, ou, computer, or anything in AD.
W>
W> i am quite familiar with get-adpermission cmdlet and use it all the
W> time. however, it only accepts 1 DN. is there a way using powershell
W> to start at root of AD (or start at a specific DN) and loop through
W> all children and list rights a user has for everything below?
W>
W> thank you.
W>

1.1 doesnt seem to work for the get-qadobject... try this instead.

Get-Qadobject -ldapFilter "Objectclass=*" -DontUseDefaultIncludedProperties
-size 0 | %{.\Get-ADACL.ps1 $_.dn}

Brandon Shell
---------------
Blog: http://www.bsonposh.com/
PSH Scripts Project: www.codeplex.com/psobject

BS> wholey smokes... that is quite a lot of parsing
BS>
BS> Not sure about Get-ADPermission
BS>
BS> But this works for me (using my Get-ADAcl.ps1 script from my blog)
BS>
BS> Get-Qadobject -ldapFilter "Objectclass=*" -IncludedProperties 1.1
BS> -size 0 | %{.\Get-ADACL.ps1 $_.dn}
BS>
BS> Brandon Shell
BS> ---------------
BS> Blog: http://www.bsonposh.com/
BS> PSH Scripts Project: www.codeplex.com/psobject
W>> hi,
W>>
W>> i need to loop through all ad objects to find if a user has rights
W>> to anything. the object could be user, ou, computer, or anything in
W>> AD.
W>>
W>> i am quite familiar with get-adpermission cmdlet and use it all the
W>> time. however, it only accepts 1 DN. is there a way using
W>> powershell to start at root of AD (or start at a specific DN) and
W>> loop through all children and list rights a user has for everything
W>> below?
W>>
W>> thank you.
W>>

Hello William,


Try this, it gets all AD objects where 'domain\Administrators' group has
full control.

$account = 'domain\Administrators'
Get-QADObject -sizeLimit 0 -SecurityMask DACL | Get-QADPermission -inherited
-schemaDefault -account $account -rights GenericAll



---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic

W> hi,
W>
W> i need to loop through all ad objects to find if a user has rights to
W> anything. the object could be user, ou, computer, or anything in AD.
W>
W> i am quite familiar with get-adpermission cmdlet and use it all the
W> time. however, it only accepts 1 DN. is there a way using powershell
W> to start at root of AD (or start at a specific DN) and loop through
W> all children and list rights a user has for everything below?
W>
W> thank you.
W>