Active Directory: Identify Delegated Permissions for AD Organizational Units

Scenario: You want to pull a report of all delegated permissions to AD Organizational Units.


$sourceOU = "OU=NEW,DC=Domain,DC=Com" 
 $OUs = Get-ADOrganizationalUnit -SearchBase $sourceOU -filter * | Select -ExpandProperty DistinguishedName | Sort {$_.length}
 $output = "C:\temp\ace.csv"
 $OUs | %{
     $ou = "AD:\"+$_
     "Checking $OU"
     $acl = get-acl $ou 
     $ace = $acl.access | Where IsInherited -eq $false 
     $ace | Select @{Name="OU";Expression={"$ou"}},ActiveDirectoryRights, InheritanceType,ObjectType,InheritedObjectType,ObjectFlags,AccessControlType,IdentityReference,IsInherited,InheritanceFlags,PropagationFlags | Export-csv $output -append

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: