bill-long/ScanADContainersForSid.ps1

## ScanADContainersForSid.ps1
# ScanADContainersForSid.ps1
#
# Traverses the Active Directory hierarchy looking
# for a SID in the ACL on any container.
#
# Examples:
#
# .\ScanADContainersForSid DC1 S-1-5-32-544
#
# .\ScanADContainersForSid DC1 S-1-5-32-544 -ConfigContext $true -Verbose $true

param([string]$DC, [string]$SID, [bool]$ConfigContext, [bool]$Verbose)

function CheckContainerForSidRecursive([ADSI]$container, [string]$sidString)
{
    # First check this container
    if ($Global:Verbose)
    {
        $container.Properties["distinguishedName"][0].ToString()
    }
    $sdFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(objectClass=*)", [string[]]("distinguishedName","ntSecurityDescriptor"), [System.DirectoryServices.SearchScope]::Base)
    $sdResult = $sdFinder.FindOne()
    $ntsdProp = $sdResult.Properties["ntSecurityDescriptor"]
    if ($ntsdProp -eq $null -or $ntsdProp.Count -lt 1)
    {
        if (!($Global:Verbose))
        {
            $container.Properties["distinguishedName"][0].ToString()
        }

        "    Could not read NTSD on container."
    }
    else
    {
        $commonSD = New-Object System.Security.AccessControl.CommonSecurityDescriptor($true, $true, [byte[]]$ntsdProp[0], 0)
        $dacl = $commonSD.DiscretionaryAcl
        for ($x = 0; $x -lt $dacl.Count; $x++)
        {
            if ($dacl[$x].IsInherited)
            {
                continue
            }

            $isMatch = [String]::Equals($dacl[$x].SecurityIdentifier.Value, $sidString, "OrdinalIgnoreCase")
            if ($isMatch)
            {
                if (!($Global:Verbose))
                {
                    $container.Properties["distinguishedName"][0].ToString()
                }

                "    SID found!"
                break
            }
        }

        # Now check the child containers
        $containerFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(|(objectClass=container)(objectClass=organizationalUnit))", @("distinguishedName"), "OneLevel")
        $containerFinder.PageSize = 100
        $containerResults = $containerFinder.FindAll()
        foreach ($childContainer in $containerResults)
        {
            CheckContainerForSidRecursive $childContainer.GetDirectoryEntry() $sidString
        }
    }
}

if ($DC -eq $null -or $SID -eq $null)
{
    "You must specify a DC and a SID"
    return
}

$Global:Verbose = $Verbose
$rootDSE = [ADSI]("LDAP://" + $DC + "/RootDSE")
$domainContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.defaultNamingContext)
$configContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.configurationNamingContext)

if ($ConfigContext)
{
    CheckContainerForSidRecursive $configContainer $SID
}
else
{
    CheckContainerForSidRecursive $domainContainer $SID
}

"Done!"
	# ScanADContainersForSid.ps1
	#
	# Traverses the Active Directory hierarchy looking
	# for a SID in the ACL on any container.
	#
	# Examples:
	#
	# .\ScanADContainersForSid DC1 S-1-5-32-544
	#
	# .\ScanADContainersForSid DC1 S-1-5-32-544 -ConfigContext $true -Verbose $true

	param([string]$DC, [string]$SID, [bool]$ConfigContext, [bool]$Verbose)

	function CheckContainerForSidRecursive([ADSI]$container, [string]$sidString)
	{
	# First check this container
	if ($Global:Verbose)
	{
	$container.Properties["distinguishedName"][0].ToString()
	}
	$sdFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(objectClass=*)", [string[]]("distinguishedName","ntSecurityDescriptor"), [System.DirectoryServices.SearchScope]::Base)
	$sdResult = $sdFinder.FindOne()
	$ntsdProp = $sdResult.Properties["ntSecurityDescriptor"]
	if ($ntsdProp -eq $null -or $ntsdProp.Count -lt 1)
	{
	if (!($Global:Verbose))
	{
	$container.Properties["distinguishedName"][0].ToString()
	}

	" Could not read NTSD on container."
	}
	else
	{
	$commonSD = New-Object System.Security.AccessControl.CommonSecurityDescriptor($true, $true, [byte[]]$ntsdProp[0], 0)
	$dacl = $commonSD.DiscretionaryAcl
	for ($x = 0; $x -lt $dacl.Count; $x++)
	{
	if ($dacl[$x].IsInherited)
	{
	continue
	}

	$isMatch = [String]::Equals($dacl[$x].SecurityIdentifier.Value, $sidString, "OrdinalIgnoreCase")
	if ($isMatch)
	{
	if (!($Global:Verbose))
	{
	$container.Properties["distinguishedName"][0].ToString()
	}

	" SID found!"
	break
	}
	}

	# Now check the child containers
	$containerFinder = New-Object System.DirectoryServices.DirectorySearcher($container, "(\|(objectClass=container)(objectClass=organizationalUnit))", @("distinguishedName"), "OneLevel")
	$containerFinder.PageSize = 100
	$containerResults = $containerFinder.FindAll()
	foreach ($childContainer in $containerResults)
	{
	CheckContainerForSidRecursive $childContainer.GetDirectoryEntry() $sidString
	}
	}
	}

	if ($DC -eq $null -or $SID -eq $null)
	{
	"You must specify a DC and a SID"
	return
	}

	$Global:Verbose = $Verbose
	$rootDSE = [ADSI]("LDAP://" + $DC + "/RootDSE")
	$domainContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.defaultNamingContext)
	$configContainer = [ADSI]("LDAP://" + $DC + "/" + $rootDSE.configurationNamingContext)

	if ($ConfigContext)
	{
	CheckContainerForSidRecursive $configContainer $SID
	}
	else
	{
	CheckContainerForSidRecursive $domainContainer $SID
	}

	"Done!"