Active Directory permissions aren’t easy to audit. It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units. I have taken a few runs at it, including a vbscript version which was terrible. That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone. His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.
Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list. The resulting script is Get-OUPermissions.ps1. In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting. Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article. I have commented the script pretty heavily to show where I changed things from the original script. My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices. There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain. What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.