PowerShell Reference

A growing library of PowerShell tools and patterns I've put together as a sysadmin. Public and open-source for anyone who wants to learn, copy, or contribute.

View on GitHub

๐Ÿ” Delegation & Permissions (PowerShell)

PowerShell commands to view, assign, and audit permissions and delegation in Active Directory. Useful for managing RBAC, compliance, and delegated OU control.

๐Ÿ”Ž View ACL (Access Control List) of an OU

$ou = "OU=IT,DC=example,DC=com"
(Get-Acl "AD:$ou").Access

๐Ÿ‘ค Delegate Permissions to a User on an OU

Example: Allow helpdeskuser to reset passwords in the IT OU

$identity = "OU=IT,DC=example,DC=com"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    (New-Object System.Security.Principal.NTAccount("example\helpdeskuser")),
    "ExtendedRight",
    "Allow",
    ([GUID]"00299570-246d-11d0-a768-00aa006e0529")  # Reset password right

$ou = [ADSI]"LDAP://$identity"
$ou.psbase.ObjectSecurity.AddAccessRule($rule)
$ou.psbase.CommitChanges()

๐Ÿงพ View Effective Permissions

Active Directory does not natively support viewing effective permissions directly via PowerShell. Use GUI tools like dsacls or Active Directory Users and Computers with advanced permissions.

However, you can view explicit permissions:

(Get-Acl "AD:OU=IT,DC=example,DC=com").Access |
Where-Object { $_.IdentityReference -like "*helpdeskuser*" }

๐Ÿ—ƒ๏ธ Export OU Permissions to a File

$ou = "OU=IT,DC=example,DC=com"
(Get-Acl "AD:$ou").Access |
Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType |
Export-Csv -Path ".\OU_Permissions.csv" -NoTypeInformation

๐Ÿงผ Remove Specific Delegated Right

โš ๏ธ Manual and careful process. Usually safer to do via GUI unless well-scripted.

๐Ÿ“ข Tips