Audit-ADPermissions.ps1

param (
   [Parameter(Mandatory=$true)][string]$OU,
   [Parameter(Mandatory=$true)][string]$user
)

Import-Module ActiveDirectory
Set-Location AD:

#declare an array to hold results
$results = @()

#find the acls on a particular OU
$acls = (Get-Acl $OU).access

#iterate the acls and decode the actual permission
$acls | where-object {$_.identityreference -eq $User} | Foreach-Object {
   $obj = New-Object PSObject

   $obj | Add-Member NoteProperty ActiveDirectoryRights $_.ActiveDirectoryRights
   $obj | Add-Member NoteProperty InheritanceFlags $_.InheritanceFlags
   $obj | Add-Member NoteProperty AccessControlType $_.AccessControlType

   if ($_.ActiveDirectoryRights -eq 'ExtendedRight') {
      $right = Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -Filter {(objectclass -eq "controlAccessRight") -and (rightsguid -eq $_.ObjectType)} -Properties RightsGuid,DisplayName
      #Write-Host "$($right.Name)"
   } else {
      $right = Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter {schemaidguid -eq $_.ObjectType} -Properties LdapDisplayName,SchemaIdGuid
      #Write-Host "$($right.LdapDisplayName)"
   }

   $obj | Add-Member NoteProperty Right $right

   $results += $obj
}

$results