Last active
August 29, 2015 14:27
-
-
Save bill-long/1ce3a23f234b79b86104 to your computer and use it in GitHub Desktop.
Recursively checks the DACL on all Active Directory containers for the presence of a specified SID.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ScanADContainersForSid.ps1 | |
# | |
# Traverses the Active Directory hierarchy looking | |
# for a SID in the ACL on any container. | |
# | |
# Examples: | |
# | |
# .\ScanADContainersForSid DC1 S-1-5-32-544 | |
# | |
# .\ScanADContainersForSid DC1 S-1-5-32-544 -ConfigContext $true -Verbose $true | |
param([string]$DC, [string]$SID, [bool]$ConfigContext, [bool]$Verbose) | |
function CheckContainerForSidRecursive([ADSI]$container, [string]$sidString) | |
{ | |
# First check this container | |
if ($Global:Verbose) | |
{ | |
$container.Properties["distinguishedName"][0].ToString() | |
} | |
$sdFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(objectClass=*)", [string[]]("distinguishedName","ntSecurityDescriptor"), [System.DirectoryServices.SearchScope]::Base) | |
$sdResult = $sdFinder.FindOne() | |
$ntsdProp = $sdResult.Properties["ntSecurityDescriptor"] | |
if ($ntsdProp -eq $null -or $ntsdProp.Count -lt 1) | |
{ | |
if (!($Global:Verbose)) | |
{ | |
$container.Properties["distinguishedName"][0].ToString() | |
} | |
" Could not read NTSD on container." | |
} | |
else | |
{ | |
$commonSD = New-Object System.Security.AccessControl.CommonSecurityDescriptor($true, $true, [byte[]]$ntsdProp[0], 0) | |
$dacl = $commonSD.DiscretionaryAcl | |
for ($x = 0; $x -lt $dacl.Count; $x++) | |
{ | |
if ($dacl[$x].IsInherited) | |
{ | |
continue | |
} | |
$isMatch = [String]::Equals($dacl[$x].SecurityIdentifier.Value, $sidString, "OrdinalIgnoreCase") | |
if ($isMatch) | |
{ | |
if (!($Global:Verbose)) | |
{ | |
$container.Properties["distinguishedName"][0].ToString() | |
} | |
" SID found!" | |
break | |
} | |
} | |
# Now check the child containers | |
$containerFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(|(objectClass=container)(objectClass=organizationalUnit))", @("distinguishedName"), "OneLevel") | |
$containerFinder.PageSize = 100 | |
$containerResults = $containerFinder.FindAll() | |
foreach ($childContainer in $containerResults) | |
{ | |
CheckContainerForSidRecursive $childContainer.GetDirectoryEntry() $sidString | |
} | |
} | |
} | |
if ($DC -eq $null -or $SID -eq $null) | |
{ | |
"You must specify a DC and a SID" | |
return | |
} | |
$Global:Verbose = $Verbose | |
$rootDSE = [ADSI]("LDAP://" + $DC + "/RootDSE") | |
$domainContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.defaultNamingContext) | |
$configContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.configurationNamingContext) | |
if ($ConfigContext) | |
{ | |
CheckContainerForSidRecursive $configContainer $SID | |
} | |
else | |
{ | |
CheckContainerForSidRecursive $domainContainer $SID | |
} | |
"Done!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment