This is a powershell script that will scan and audit your active directory structure for any users with permissions on extended rights, and the organizational unit paths that those permissions are granted on. Requires active directory module. No changes need to be made to the script, however if you wish to alter the output log paths or add users to be filtered out of the output, such as your known administrators, these can be added to the variables via ISE or notepad prior to execution. 

The script is benefitial for users who have deployed a LAPS Local Administrator Password Solution in their environment. This script will allow you to quickly audit exactly who has access to what LAPS information (computer object extended rights) in AD.

 

###################################################################################

################### Variables #####################################################

###################################################################################

$LoggedAccessLocation = "C:\Temp\" ## Location to store output ####################

$NotMe = "*DasAdmins*" ## Account Filter ##########################################

###################################################################################

## Note: BuiltIn, NT Authority and Orphaned SIDs are automatically filtered out ###

###################################################################################
 

$TP = $False

$TP = Test-Path $LoggedAccessLocation

IF ($TP -eq $False)

{New-Item -ItemType Directory -Force -Path $LoggedAccessLocation}

$Date = Get-Date -UFormat "%Y / %m / %d"

$Date = $Date -replace('/','-')

$Date = $Date -replace(' ','')

$I = 0

$ACLList =@()

Import-Module ActiveDirectory

set-location ad:
 

$OUs = (Get-ADOrganizationalUnit -filter *).DistinguishedName
 

foreach ($OU in $OUs){

CLS

Write-Progress -activity "Checking: $OU... " -status "Scanned: $i of $($OUs.Count)folders..." -percentComplete (($i / $OUs.Count)  * 100)

$I ++

     $ACLS = (Get-Acl $OU).access | where {$_.ActiveDirectoryRights -Like"*ExtendedRight*" -and $_.IsInherited -ne 'True' -and `

        ($_.IdentityReference -notlike "BUILTIN\*" -and $_.IdentityReference -ne "NT AUTHORITY\*" -and `

        $_.IdentityReference -notlike "S-1-5*" -and $_.IdentityReference -notlike "$NotMe"`

)} | Select ActiveDirectoryRights, IdentityReference, AccessControltype
 

    Foreach ($ACL in $ACLs)

    {

    $OutInfo = New-Object -TypeName psobject `

    -Property @{

        IDRef = $ACL.IdentityReference.ToString()

        Path = $OU

        Access = $ACL.AccessControlType.ToString()

        }

    $ACLList+=$OutInfo

    }

}

$FP = -join("$LoggedAccessLocation","$Date","_ExtRights_Audit.CSV" )

$ACLList | select Path,IDRef,Access | export-csv $FP -NoTypeInformation

CLS

$ACLList | FT -AutoSize

Write-Host "Output logged to: $FP"