LAPS Permission Collection for OUs

[Chefkeks]

Hi Kevin,

while searching for a script to show which OUs (and not the computers in the OUs) have the LAPS attributes set, I stumbled upon your script. With slight modifications I managed to succeed. Important for me was to either get the inheriting OUs, therefore the $inherited filtering.

That said, wanted to leave this "issue" here with my modified version and a big THANKS to you!

Cheers! 🍪✌️ Michael

##Domain
$target = 'DC=your,DC=domain,DC=com'

##Include inherited?
$inherited = $false

Import-Module ActiveDirectory

##Get the GUID of the extended attributes ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd from Schema
$schemaIDGUID = @{}
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(|(name=ms-Mcs-AdmPwdExpirationTime)(name=ms-Mcs-AdmPwd))' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

##Get distinguished name of all OUs or of the target itself
$orgunits = Get-ADOrganizationalUnit -SearchBase $target -Filter {name -like '*'}

##Display OUs matching the criteria
Set-Location ad:
foreach ($ou in $orgunits){
(Get-Acl $ou.distinguishedname).access | 
    Where-Object {(($_.AccessControlType -eq 'Allow') -and (($_.activedirectoryrights -like '*WriteProperty*') -or ($_.activedirectoryrights -like '*ReadProperty*')) -and ($_.objecttype -in $schemaIDGUID.Keys) -and ($_.IsInherited -eq $inherited))} |
    ft @{Label="OU"; Expression={([string]$ou.distinguishedname)}}, @{Label="Attribute"; Expression={ $schemaIDGUID[$_.objecttype] }}, identityreference, isinherited, activedirectoryrights  -AutoSize
 }