I have scripted DSPerms.bat to return the distinguished names of directory services objects that have access control entries (ACEs) that you specify.
DSPerms.bat uses DSQUERY from the Active Directory command-line tools to retrieve directory service objects, and Dsacls.exe to retrieve ACEs on the object.
The syntax for using DSPerms.bat is:
DSPerms StartNode objectClass "Search Terms1" \["Search Terms2" ... "Search TermsN"\]
Where:
StartNode is the node where the search will start. It can be forestroot, domainroot, or an object distinguish name. objectClass is a filter to narrow the search. It can be * (no filtering), or any of the following Classes:
|
Sample Usage and Console Output:
dsperms "CN=Users,DC=JSIINC,DC=TST" user "'JSIINC\Domain Users' 'SPECIAL ACCESS' userAccountControl Inherited parent" NOTE: Using user in objectClass filtered out group and contact, which are both in the Users container. "CN=test,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are: Allow JSIINC\Domain Users SPECIAL ACCESS for userAccountControl \{Inherited from parent\} "CN=Guest,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are: Allow JSIINC\Domain Users SPECIAL ACCESS for userAccountControl \{Inherited from parent\} "CN=SUPPORT_388945a0,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are: Allow JSIINC\Domain Users SPECIAL ACCESS for userAccountControl \{Inherited from parent\}NOTE: DSPerms.bat supports multiple Search Terms, but using a single Search Terms is likely to run faster. DSPerms.bat is VERY resource intensive, and runs a VERY long time.
Constrain your search as much as practical, and consider running it during a weekend.
DSPerms.bat contains:
@echo off if \{%3\}\{\} @echo Syntax: DSPerms StartNode objectClass "Search Terms1" \["Search Terms2" ... "Search TermsN"\]&goto :EOF setlocal ENABLEDELAYEDEXPANSION @echo dim iString, oString, objArgument>"%TEMP%\DSPerms.VBS" @echo Set objArgument = Wscript.Arguments>>"%TEMP%\DSPerms.VBS" @echo iString = objArgument(0) >>"%TEMP%\DSPerms.VBS" @echo oString = Replace(objArgument(0), ">"%TEMP%\DSPerms.VBS" @echo oString = Replace(oString, ">", "\}")>>"%TEMP%\DSPerms.VBS" @echo oString = Replace(oString, "&", "and")>>"%TEMP%\DSPerms.VBS" @echo oString = Replace(oString, "(", "\[")>>"%TEMP%\DSPerms.VBS" @echo oString = Replace(oString, ")", "\]")>>"%TEMP%\DSPerms.VBS" @echo Wscript.echo "*:" ^& oString>>"%TEMP%\DSPerms.VBS" set StartNode=%1 set class=%2 shift shift set /a cnt=0 set tab= set blank= # set OK=N :ploop if \{%1\}
\{\} goto pfin set wrk1=%1 shift set wrk1=%wrk1:"=% # # # # # # # # %blank:~0,50% %blank:~0,50% %blank:~0,50% %blank:~0,50% # set wrk2=%wrk1:~0,199% set /a cnt=%cnt% + 1 set wrk2=%wrk2:'="% call :numbparm %wrk2% set tab=%tab%%np%%wrk2% goto ploop :numbparm set /a np=0 :numbparm1 if \{%1\}==\{#\} goto :EOF set /a np=%np% + 1 shift goto numbparm1 :pfin set hdr= set who= set perm= set inherit= set pwho= set pperm= set pinherit= for /f "Tokens=*" %%a in ('dsquery * %StartNode% -filter "(&(objectClass=%class%))" -attr distinguishedName -L -limit 0') do ( set dn="%%a" for /f "Tokens=* Delims=:" %%s in ('dsacls.exe "%%a"^|findstr /i /V /c:"The command completed successfully"') do ( for /f "Tokens=1* Delims=:" %%y in ('cscript //NOLOGO "%TEMP%\DSPerms.VBS" "%%s"') do ( set line=%%z %blank:~0,50% # # # call :doit ) ) ) endlocal del /q "%TEMP%\DSPerms.VBS" goto :EOF :doit set who=%line:~0,50% if "%who%" EQU "" set who=%blank:~0,50% set who=%who:#=% for /f "Tokens=1,2*" %%c in ('@echo %line:~50%') do ( set prm=%%c %%d set inherit=%%e call :perm ) goto :EOF :perm if "%prm%" EQU "" perm1 if "%prm%" EQU "DELETE #" set prm=DELETE&goto perm2 set work=%prm:#=% if "%work%" EQU "%prm%" goto perm2 :perm1 if /i "%who:~0,11%" EQU "Access list" goto :EOF if /i "%who:~0,11%" EQU "Permissions" goto :EOF if "%who:~0,10%" EQU "%blank:~0,10%" goto :EOF set hdr=%who% set who= set prm= set inherit= set pwho= set pprm= set pinherit= goto :EOF :perm2 if "%who:~0,10%" EQU "%blank:~0,10%" set who=%pwho% if "%inherit%" NEQ "" set inherit=%inherit:#=% if "%inherit%" EQU "" set inherit=%pinherit%&goto perm3 if "%inherit:~0,1%" EQU " " set inherit=%pinherit%&goto perm3 :perm3 if "%OK%" EQU "Y" If %cnt% EQU 1 call :build2&goto perm4 set /a seq=0 for /l %%f in (1,1,%cnt%) do call :Build %%f :perm4 set pwho=%who% set pprm=%prm% set pinherit=%inherit% goto :EOF :Build set /a pos=%seq% * 200 call set /a np=%%tab:~%pos%^,1%% set /a pos=%pos% + 1 call set wrk1=%%tab:~%pos%^,199%% call :build1 %np% %wrk1% set /a seq=%seq% + 1 goto :EOF :build1 if "%OK%" EQU "Y" If %cnt% EQU 1 goto build2 shift set p1=%1 set p1=%p1:"=% set p2=%2 set p2=%p2:"=% if "%p2%" EQU "#" set p2=%blank:~0,1% set p3=%3 set p3=%p3:"=% if "%p3%" EQU "#" set p3=%blank:~0,1% set p4=%4 set p4=%p4:"=% if "%p4%" EQU "#" set p4=%blank:~0,1% set p5=%5 set p5=%p5:"=% if "%p5%" EQU "#" set p5=%blank:~0,1% set p6=%6 set p6=%p6:"=% if "%p6%" EQU "#" set p6=%blank:~0,1% set p7=%7 set p7=%p7:"=% if "%p7%" EQU "#" set p7=%blank:~0,1% set p8=%8 set p8=%p8:"=% if "%p8%" EQU "#" set p8=%blank:~0,1% set p9=%9 set p9=%p9:"=% if "%p9%" EQU "#" set p9=%blank:~0,1% set OK=Y :build2 goto bld%np% :bld1 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld2 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld3 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld4 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld5 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld6 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld7 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld8 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% ) goto :EOF :bld9 for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"^|findstr /I /L /C:"%p9%"') do ( @echo %dn% %hdr% %who% %prm% %inherit% )
0 comments
Hide comments