How can I check what for permissions an AD-User have for an AD-Group?

Question

I want to check with PowerShell if a user have Active Directory permissions ex. read or write for a specific group.

I found a way with get-acl to show me some information about the group and the user, but I'm not sure if I can and how to work with that further.

Does this help: https://stackoverflow.com/questions/55146121/how-to-use-powershell-to-find-group-memebership-to-include-members-of-nested-gro? Or this: https://stackoverflow.com/questions/5072996/how-to-get-all-groups-that-a-user-is-a-member-of or this: https://stackoverflow.com/questions/46295416/check-if-the-user-is-a-member-of-a-list-of-ad-groups or....If not: Please [edit]your question and clarify _if a user have Active Directory permissions for a specific group._ — Ocaso Protal, Oct 13 '20 at 14:54
@OcasoProtal I though it was clear with "get-acl", sorry for that. I updated my question. — Wurstfach404, Oct 13 '20 at 20:11

score 0 · Answer 1 · answered Oct 13 '20 at 19:05

0

I think this may be what you're looking for

$user = get-aduser "username" -Properties memberof
$userGroups = $user.MemberOf | Get-ADGroup
$group = Get-ADGroup "group to check"
$group.DistinguishedName -in $userGroups.DistinguishedName

answered Oct 13 '20 at 19:05

PowerShellGuy

733
2
8

score 0 · Answer 2 · answered Oct 14 '20 at 05:48

If I understand you correctly, you want to check a specific user's AD rights over a specific group. Here's an example that will return all the individual rights assigned to a certain group.

Get-ADGroup "GroupToCheck" | Foreach-Object {
    foreach($dacl in Get-Acl AD:$($_.distinguishedname))
    {
        foreach($ace in $dacl.Access)
        {
            [PSCustomObject]@{
                "Group Name"          = $_.name
                "Group Owner"         = $dacl.owner
                ActiveDirectoryRights = $ace.ActiveDirectoryRights
                AccessControlType     = $ace.AccessControlType
                IdentityReference     = $ace.IdentityReference
            }
        }
    }
} -OutVariable AllRights

You could check if the user or a group the user is in has rights, group/filter the results by identity, etc.

How can I check what for permissions an AD-User have for an AD-Group?

2 Answers2