(2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
Posted by Jorge on 2014-09-13
PowerShell Code to check if the DACL of each OU in the AD domain is in canonical order or not.
Also see this blog post.
–
# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithDACLInCanonicalOrder = @() $OUsWithDACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath If ($aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The DACL In Canonical Order" $ouObj."List Of OUs That DO Have The DACL In Canonical Order" = $ou $OUsWithDACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAccessRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = $ou $OUsWithDACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithDACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLNOTInCanonicalOrder += $ouObj } $OUsWithDACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithDACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The DACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The DACL In Canonical Order" = "+++ NONE +++" $OUsWithDACLInCanonicalOrder += $ouObj } $OUsWithDACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"
–
Figure 1: Checking The Canonical Order Of The DACL On All OUs In The AD Domain Through PowerShell
–
The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.
The ZIP file contains all the scripts for the following blogs posts:
- (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
- (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
- (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
- (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
- (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
- (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
- (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
- (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
- (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
- (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
- (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
- (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
- (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
- (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
- (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
- (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
(2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
(2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
(2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
(2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
(2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
(2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object « Jorge's Quest For Knowledge! said
[…] (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL […]
LikeLike
Tommy Doan said
Very helpful, although the root of the domain is not inspected. Something like this could be added.
$dcDrivePath = $(“AD:\” + $rootDSE.rootDomainNamingContext)
$aclDC = Get-Acl $dcDrivePath
$aclDC.AreAccessRulesCanonical
LikeLike