forked from MrAnde7son/PowerShell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathInvoke-ACLScanner.ps1
104 lines (87 loc) · 3.72 KB
/
Invoke-ACLScanner.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<#
Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-ACLScanner
{
<#
.SYNOPSIS
Returns all ACE on every object in the current forest.
Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
.PARAMETER
.EXAMPLE
PS C:\> Invoke-ACLScanner
Returns all ACE on every object in the current forest.
#>
[CmdletBinding()]
Param (
[Parameter( Position = 0)]
[String]
$OutFile = '',
[Parameter( Position = 1)]
[String]
$Domain
)
$ACEDictionary = @()
$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$ExtendedRights = "LDAP://CN=Extended-Rights," + ($Forest.Schema.Name.Split(",")[1..$Forest.Schema.Name.Length] -join ",")
$Entry = New-Object System.DirectoryServices.DirectoryEntry($ExtendedRights)
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Entry)
$Searcher.SearchScope = "OneLevel"
$ACEs = $Searcher.FindAll()
foreach ($ace in $ACEs){
$entry = New-Object PSObject
$entry | Add-Member NoteProperty 'Name' $ace.Properties.cn
$entry | Add-Member NoteProperty 'Guid' $ace.Properties.rightsguid
$ACEDictionary += $entry
}
$DomainList = @($Forest.Domains | % {$_.GetDirectoryEntry() })
$Results = @()
foreach ($Domain in $DomainList){
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Domain)
$Filter = "(objectCategory=*)"
$Searcher.Filter = $Filter
$Searcher.PageSize = 1000
$Searcher.SearchScope = "Subtree"
$Results += $Searcher.FindAll()
}
foreach ($entry in $Results){
$owner = $entry.GetDirectoryEntry().ObjectSecurity.Owner
$rights = $entry.GetDirectoryEntry().ObjectSecurity.Access
foreach ($right in $rights){
$ace = $ACEDictionary | ? { $_.Guid -eq $right.ObjectType}
if($ace -eq $null){
$ExtendedRightName = ''
}
else{
$ExtendedRightName = $ace.Name[0]
}
$extendedRight = New-Object psobject
$extendedRight | Add-Member NoteProperty 'Owner' $owner
$extendedRight | Add-Member NoteProperty 'ActiveDirectoryRights' $right.ActiveDirectoryRights
$extendedRight | Add-Member NoteProperty 'InheritanceType' $right.InheritanceType
$extendedRight | Add-Member NoteProperty 'ObjectType' $right.ObjectType
$extendedRight | Add-Member NoteProperty 'ExtendedRightName' $ExtendedRightName
$extendedRight | Add-Member NoteProperty 'InheritedObjectType' $right.InheritedObjectType
$extendedRight | Add-Member NoteProperty 'ObjectFlags' $right.ObjectFlags
$extendedRight | Add-Member NoteProperty 'AccessControlType' $right.AccessControlType
$extendedRight | Add-Member NoteProperty 'IdentityReference' $right.IdentityReference
$extendedRight | Add-Member NoteProperty 'IsInherited' $right.IsInherited
$extendedRight | Add-Member NoteProperty 'InheritanceFlags' $right.InheritanceFlags
$extendedRight | Add-Member NoteProperty 'PropagationFlags' $right.None
if($OutFile -ne '') {
$extendedRight | Export-Csv -Path $OutFile -Append -force
}
else {
$extendedRight | Export-Csv -Path ".\acl.csv" -Append -force
}
}
}
}
# -and $owner -notmatch "A_" -and $owner -notmatch "Domain Admins" -and $owner -notmatch "Enterprise Admins" -and $owner -notmatch "Administrators"