PowerShell Script to be used to find permissions assigned to Active Directory OUs.

Invoke-FindOUpermissions.ps1

$MysIDArray = New-Object System.Collections.ArrayList
FUNCTION Invoke-FindOuPermissions{
<#
.SYNOPSIS
Invoke-FindOuPermissions is a Windows PowerShell script that finds all of the different OUs in a domain, determins the permissions assigned to different users and groups, and reports back which are different from their parent; including what those permissions are.This script does require the Active Directory Modules.

Author: Eric Kuehn
    
.DESCRIPTION
This script is designed to help during the Mapping phase of a penetration test.  It does require a valid set of credentials from the Active Directory Domain being searched.  Once it connects, it goes through the following process:
    1. All Domain Level objects, containers, and OUs in a Domain
    2. The permissions assigned to the OU
    3. If the permissions are different than the parent object
    4. Exports a list of the permissions

.PARAMETER ADDomain
The fully qualified DNS name of the Domain to search

.PARAMETER NoCredentials
Do not prompt for a set of credentials to use to bind to Active Directory

.PARAMETER ComputerDomain
Do not prompt for the name of an Active Directory Domain and instead use the computer's Domain.

.EXAMPLE
Invoke-FindOuPermissions
Starts the information gathering with default settings: Prompt for a Domain, a set of crednetials, and query the entire Forest.

.EXAMPLE
Invoke-FindOuPermissions -LocalCredentials -ComputerDomain
Starts the inormation gathering using the current credentials and the Domain the computer is a member of.

.NOTES
1. Valid credentials are needed to bind to the Active Directory Domain.

#>

#///////Accept the input information for the script
[CmdletBinding()]
Param(
    [PARAMETER(Mandatory=$False)][string]$ADDomain,
    [PARAMETER(Mandatory=$False)][switch]$NoCredentials,
    [PARAMETER(Mandatory=$False)][switch]$ComputerDomain,
    [PARAMETER(ValueFromRemainingArguments=$true)]$invalid_parameter
)
if ($ComputerDomain -and $ADDomain){
    throw "Both the ComputerDomain and ADDomain parameters have been selected."
}
if ($ComputerDomain){
    $ADDomain = (Get-WmiObject Win32_ComputerSystem).Domain
}
if (!$ComputerDomain -and !$ADDomain){
    $ADDomain = Read-Host -Prompt 'Input the Full DNS Name of the Domain to check'
}
if (!$NoCredentials){
    #Prompt for AD Forest Name and Credentials
    $Creds = Get-Credential -Credential Domain\PW
    $PSDefaultParameterValues = @{"*-AD*:Credential"=$Creds}
}
if ($invalid_parameter)
{
    throw "$($invalid_parameter) is not a valid parameter."
}

write-host 
write-host "Connecting to" $ADDomain

#Bind to the Active Directory Domain and Forest
Try
{
    $eD = Get-ADDomain -Identity $ADDomain -ErrorAction STOP
}
CATCH [Exception]
{
    $err = $_.Exception.Message
    Write-Host "Unable to Connect to $ADDomain.  The error was $err"
    Break
}


#Prep Output Directories
if(!(Test-Path "./Output/ACLs")){
    if(!(Test-Path "./Output")){New-Item -ItemType Directory -Path "./Output" | Out-Null}
    New-Item -ItemType Directory -Path "./Output/ACLs" | Out-Null
}

[void] $MysIDArray.clear

$DC = $eD.DNSRoot
$GC = (Get-ADDomainController -Discover -DomainName $eD.Forest -Service ADWS,GlobalCatalog ).HostName[0] + ':3268'
#$GC = $GC + ':3168'

#Get the ACL of the Root and export it
write-host "Gathering permissions set at root of Domain" $DC
$Root = Get-ADObject -Server $DC -SearchBase (Get-ADDomain -Identity $DC -Server $DC).DistinguishedName -LDAPFilter '(objectClass=domain)' -Properties CanonicalName, nTSecurityDescriptor
$RootACL = $Root | select -ExpandProperty nTSecurityDescriptor | select -ExpandProperty Access
$RootDNS = $Root.CanonicalName.split("/")
$RootExpPath = "./Output/ACLs/" + $RootDNS[0] + ".csv"
Get-OUacl -ACLlist $RootACL -DC $DC -GC $GC | Export-Csv $RootExpPath -NoType

$MyOUArray = New-Object System.Collections.ArrayList

write-host "Finding OUs and containers"
#Get all the OUs and top level containers in the Domain
$OUs = Get-ADObject -Server $DC -Filter {objectcategory -eq "container" -or objectcategory -eq "builtinDomain"} -searchscope OneLevel -Properties CanonicalName, Name, nTSecurityDescriptor
$OUs += Get-ADOrganizationalUnit -Server $DC -Filter * -Properties CanonicalName, Name, nTSecurityDescriptor 
$OUs = $OUs | sort canonicalname
write-host $OUs.count "OUs to examine"

Foreach ($OU in $OUs){
    write-host "Checking security of" $OU.CanonicalName
    $Parent = $OU.DistinguishedName.Substring($OU.DistinguishedName.IndexOf(",")+1)

    $MyACL = $OU | select -ExpandProperty nTSecurityDescriptor | select -ExpandProperty Access
    $ParnetAcl = Get-ADObject $Parent -Server $DC -Properties nTSecurityDescriptor | select -ExpandProperty nTSecurityDescriptor | select -ExpandProperty Access | select IdentityReference
    $comp = Compare-Object $ParnetAcl $MyACL -Property IdentityReference
    if($comp.count -gt 0){
        $Sec = "Security Changed From Parent"
        write-host "   " $Sec

        $OUName = $OU.CanonicalName.replace("/","--")
        $ExpOUpath = "./Output/ACLs/" + $OUName + ".csv"
        Get-OUacl -ACLlist $MyACL -DC $DC -GC $GC | Export-Csv $ExpOUpath -NoType

    }ELSE{
        $Sec = ""
    }
    $OUentry = $OU | select canonicalName,Name,@{Name="Security";Expression={$Sec}}
    [void] $MyOUArray.Add($OUentry)
}

$MyOUArray | ft -AutoSize
$MyOUArray | Export-Csv "./Output/OUs.csv" -NoType

[void] $MysIDArray.clear
}

FUNCTION Get-DomainFromDistinguishedName($DN){
    $DNDomDNS =''
    $DNparts = $DN -split ","
    Foreach ($arrPart in $DNparts) {
        If ($arrPart -like 'dc=*'){
            $apDns = $arrPart -Replace "DC=","."
            $DNDomDNS = $DNDomDNS + $apDns
        }
    }
    $DNDomDNS = $DNDomDNS.TrimStart(".")
    Return $DNDomDNS
}

Function TranslateSID ($sID, $DC, $Domain){
    if ($global:MysIDArray.objectSid -contains $ACL.IdentityReference){
        #
        write-verbose -message "         Found sID in Cache"
        #
        $foundID = $global:MysIDArray | where {$_.objectSid -eq $sID }
        $sidEntry = $foundID.Name
        #
        write-verbose -message "         sID in Cache: $sidEntry"
    } ELSE {
        #
        write-verbose -message "         Translating sID"
        #
        $ADobjects = get-adobject -server $DC -filter {objectsid -eq $sID} -Properties sAMAccountName,objectSid
        #Need to put in logic for generic Forest well known SIDs
        if ($ADobjects.count -gt 1) {
            write-verbose "         More than one return"
                Foreach ($ADobject in $ADobjects){
                            $ADobjectDomDNS = (Get-DomainFromDistinguishedName -DN $ADobject.DistinguishedName)
                if ($ADobjectDomDNS -eq $Domain) {
                    $ADobjectDom = $ADobjectDomDNS.split(".")[0]
                    $ADobjectName = $ADobjectDom + "\" + $ADobject.sAMAccountName
                    $NewEntry = $ADobject | select objectSid, @{Name="Name";Expression={$ADobjectName}}
                }   
            }

        } ELSE {
            $ADobject = $ADobjects
            $ADobjectDom = (Get-DomainFromDistinguishedName -DN $ADobject.DistinguishedName).split(".")[0]
            $ADobjectName = $ADobjectDom + "\" + $ADobject.sAMAccountName
            $NewEntry = $ADobject | select objectSid, @{Name="Name";Expression={$ADobjectName}}
        }
        
        
        #
        write-verbose -message "         Translated sID: $ADobjectName"
        #
        [void] $global:MysIDArray.Add($NewEntry)
        $sidEntry = $NewEntry.Name

    }

    return $sidEntry
}

Function Get-OUacl ($ACLlist, $DC, $GC){
    $MyOUAclArray = New-Object System.Collections.ArrayList

    Foreach ($ACL in $ACLlist){
        $ACLobjectType = if($ACL.ObjectType -eq '00000000-0000-0000-0000-000000000000'){
            "All"
        }ELSE{ 
            $RawGUID = ([guid]$ACL.ObjectType).ToByteArray()
            (Get-ADObject -Server $DC -Searchbase (Get-ADRootDSE -Server $DC).schemaNamingContext -Filter {schemaIDGUID -eq $RawGuid}).Name
        }
        #if the ACL is not for an object type but a property, search the config partition for a property name 
        if($ACLobjectType -eq $null){
                $ACLobjectTypeFilter = $ACL.ObjectType
                $ACLobjectType = (Get-ADObject -Server $DC -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE -Server $DC).configurationNamingContext)" -LDAPFilter "(&(objectClass=controlAccessRight)(rightsguid=$ACLobjectTypeFilter))").Name 
            }
            
            
        $ACLinheritedObjectType = if($ACL.InheritedObjectType -eq '00000000-0000-0000-0000-000000000000'){
            "All"
        }ELSE{
            $RawGUID = ([guid]$ACL.InheritedObjectType).ToByteArray()
            (Get-ADObject -Server $DC -Searchbase (Get-ADRootDSE -Server $DC).schemaNamingContext -Filter {schemaIDGUID -eq $RawGuid}).Name
        }

        #
        write-verbose -message "   $ACL.IdentityReference"
        #
        if ($ACL.IdentityReference -like "S-1*"){

            #
            write-verbose -message "      ACL is a sID"
            #
                        
            $IdentityReference = TranslateSID -sID $ACL.IdentityReference -DC $GC -Domain $DC


        } ELSE {
            Write-verbose -message "      ACL is common group"
            $IdentityReference = $ACL.IdentityReference
        }
            
        $ACLentry = $ACL | Select IsInherited,AccessControlType,
            @{Name="ObjectTypeName";Expression={$ACLobjectType}}, @{Name="InheritedObjectTypeName";Expression={$ACLinheritedObjectType}},
            ActiveDirectoryRights, @{Name="IdentityReference";Expression={$IdentityReference}}, InheritanceType, InheritanceFlags, PropagationFlags
        [void] $MyOUAclArray.Add($ACLentry)
    }

    Return $MyOUAclArray

}