Home / server / Questions / 304627
Accepted
Chris S
Asked: 2011-08-25 10:25:06 +0800 CST

PowerShell Script to find AD users with adminCount > 0

  • 772

I've recently discovered the "adminSDHolder" feature of Active Directory. I need a quick way to identify all users who will be affected by it, namely a script to dump the user accounts.

powershell active-directory

4 Answers

  1. Best Answer

    You can use this powershell script to return the users that have an adminCount greater than 0, which means that they are affected by the adminSDHolder feature. You'll need the AD Module for PowerShell installed, which comes with RSAT.

    import-module activedirectory

get-aduser -Filter {admincount -gt 0} -Properties adminCount -ResultSetSize $null
    • 18 
  2. ([adsisearcher]"(AdminCount=1)").findall()
    • 3

  3. This is a variant on the excellent answer by MDMarra.

    Import-Module ActiveDirectory
Get-ADUser -LDAPFilter "(admincount>0)" -Properties adminCount

    This uses -LDAPFilter instead of -Filter. Some people prefer to use the LDAP filter syntax because it is portable across many different types of applications.

    Note that Filter and LDAPFilter have similar performance characteristics since the filter is executed on the server side. When querying large directories, always try to do filtering directly like this, rather than using Where-Object which would cause all objects to be downloaded before filtering. This is described in detail on the TechNet article Filter vs. Where-Object.

    • 2 
  4. ## Script name = Set-IheritablePermissionOnAllUsers.ps1
##
## sets the "Allow inheritable permissions from parent to propagate to this
##object"check box
# Contains DN of users
#
#$users = Get-Content C:\C:\Navdeep_DoNotDelete\variables\users.txt

Get-ADgroup -LDAPFilter “(admincount=1)” | select name

$users = Get-ADuser -LDAPFilter “(admincount=1)”

##Get-QADUser -SizeLimit 0 | Select-Object Name,@{n=’IncludeInheritablePermissions’;e={!$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}} | Where {!$_.IncludeInheritablePermissions}

ForEach($user in $users)
{
# Binding the users to DS
$ou = [ADSI]("LDAP://" + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesProtected())
{
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host "$user is now inherting permissions";
}
else
{
Write-Host "$User Inheritable Permission already set"
}
}
    • -2