Probably the easiest way without any fuss is Quest cmdlet-- Get-QadPermission
Or something like Get-ADObject -Identity 'CN=your object' -Properties * | select -ExpandProperty nTSecurityDescriptor | select -ExpandProperty Access | sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending | Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize Or Get-Acl -Path ad:\'CN=Your object”' | select -ExpandProperty Access | sort ActiveDirectoryRights, AccessControlType, IdentityReference -Descending | Format-Table -GroupBy ActiveDirectoryRights -Property IdentityReference, AccessControlType -AutoSize Or [adsi] ADACLScan on CodePlex is totally awesome but not lightweight Probably lots of other ways to skin the cat but those are a couple From: [email protected] [mailto:[email protected]] On Behalf Of Todd Lemmiksoo Sent: Tuesday, November 03, 2015 8:21 AM To: [email protected] Subject: [spam] [dkim-failure] [NTSysADM] AD rights powershell ************************************* How can I find who has AD rights to reset/change user passwords. My google is only returning how to assign those rights not how to find who has them. -- T. Todd Lemmiksoo
