Last active
June 20, 2016 18:57
-
-
Save dotps1/a5b60bdf7955e029a500 to your computer and use it in GitHub Desktop.
Find users in a domain that have the protected attribute that should not, remove that attribute and re enable inheritance.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -Modules ActiveDirectory | |
| # Gets all currently protected groups and users. | |
| $protectedGroups = Get-ADGroup -LDAPFilter '(adminCount=1)' | |
| $protectedUsers = Get-ADUser -LDAPFilter '(adminCount=1)' | |
| # Gets all the users that are actually members of the current protected groups. | |
| $usersFromProtectedGroups = $protectedGroups | ForEach-Object { | |
| Get-ADGroupMember -Identity $_ | Where-Object { | |
| $_.ObjectClass -eq 'User' | |
| } | |
| } | |
| # Build arrays for users that should be protected, and for users that should not be protected. | |
| $trueProtectedUsers = @() | |
| $falseProtectedUsers = @() | |
| foreach ($user in $protectedUsers) { | |
| if ($usersFromProtectedGroups -match $user) { | |
| $trueProtectedUsers += $user | |
| } else { | |
| $falseProtectedUsers += $user | |
| } | |
| } | |
| # Remove the flag from users that are not members of the protected groups, and enable inheritance. | |
| foreach ($falseUser in $falseProtectedUsers) { | |
| Set-ADUser -Identity $falseUser -Clear {AdminCount} | |
| if (($acl = Get-Acl -Path AD:\$falseUser).AreAccessRulesProtected) { | |
| $acl.SetAccessRuleProtection($false, $true) | |
| Set-Acl -AclObject $acl -Path AD:\$falseUser | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment