I am writing a script that will grab the audit settings of all GPOs in my Active Directory forest. I get most of what I need with this:
Get-Gpo -All |
ForEach-Object {$GPO = $_.DisplayName; Get-Acl -Path ("AD:\" + $_.Path) -Audit |
Select-Object @{n="GPO";e={$GPO}},PSChildName,AuditToString,Audit,AccessToString,sddl} |
select GPO,AuditToString,AccessToString,sddl |
Format-list |
out-file C:\Users\scott\Desktop\gpo_acl.txt
The output from this looks like this:
GPO : Server 2019
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)
GPO : Computer Quarantine
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)
(I truncated the Sddl output because it would make information public that I didn't want public.) What I'm now trying to accomplish is to make that Sddl output more human readable. I can manually copy the Sddl output into a command like this:
ConvertFrom-SddlString -sddl "PAI(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;ED)" -type ActiveDirectoryRights |
Select-Object -ExpandProperty DiscretionaryAcl
And it gives me output that looks nicer, like this:
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
I'm trying to get that nicer output within the for-each loop I posted in the beginning. A colleague suggested adding this hashtable at the end of the select-object:
Get-Gpo -All |
ForEach-Object {$GPO = $_.DisplayName; Get-Acl -Path ("AD:\" + $_.Path) -Audit |
Select-Object @{n="GPO";e={$GPO}},PSChildName,AuditToString,Audit,AccessToString,sddl @{n="SDDLString";e={ConvertFrom-SddlString($_.sddl)}}} |
select GPO,AuditToString,AccessToString,sddl |
Format-list |
out-file C:\Users\scott\Desktop\gpo_acl.txt
but it prints the name of the object instead of the content. Ideally, I'd like the output to look something like this:
GPO : Server 2019
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
GPO : Computer Quarantine
AuditToString : Everyone Success
Everyone Failure
Everyone Success
Everyone Success
Sddl : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\Authenticated Users: AccessAllowed (GenericExecute, GenericRead, ListChildren, ListObject, ReadControl, ReadProperty)
NT AUTHORITY\SYSTEM: AccessAllowed (CreateChild, Delete, DeleteChild, DeleteTree, ExecuteKey, FullControl, GenericExecute, GenericRead, GenericWrite, ListChildren, ListObject, Read, ReadAndExecute, ReadControl, ReadProperty, Self, WriteDacl, WriteKey, WriteOwner, WriteProperty)
Any suggestions would be very appreciated.
I think this might get you something closer to what you were expecting; I'm sure you can pop back in the Out-File yourself:
Mind the line breaks; they're just here so you don't have to side scroll