Script Repository


Permissions granted over AD object via Security Roles

May 07, 2019
809

The script creates a report containing the permissions granted over an AD object and the Security Roles that grant the permissions. The report will list all users and groups who have permissions to perform any operations on the object and also which permissions specifically are granted. The report will include permissions granted via Security Roles only.

To generate a report, create a Custom Command that runs the script and execute it on the object(s) you need.

Parameters:

  • $to - specifies email addresses of recipients of the report. If you want the report to be sent to the user who executes your Custom Command, specify %adm-InitiatorEmail%.
  • $subject - specifies the subject of the email message with the report;
  • $reportHeader - specifies the report header;
  • $reportFooter - specifies the report footer.
    You can use value references in the subject, header and footer. For example, if you specify %name%, the report will include the name of the object on which the script is executed.
Edit Remove
PowerShell
$to = "%adm-InitiatorEmail%" # TODO: modify me
$subject = "Summary of Permissions for Object '%name%'" # TODO: modify me
$reportHeader = "<h2><b>Permissions for object '%name%'</b></h2><br/>" # TODO: modify me
$reportFooter = "<p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

$customCommandHashTable = New-Object "System.Collections.Hashtable"
$extendedRightsGuid = @{}
$([Softerra.Adaxes.Ldap.ExtendedRights]).GetFields() | Foreach-Object -Process { $extendedRightsGuid.Add($_.GetValue($Null).ToString("B"), $_.Name); }
$targetObjectClass = $Context.TargetObject.Class

function FindCustomCommandName($commandID, $customCommandHashTable)
{
    $commandName = $customCommandHashTable[$commandID]
    if ($commandName -ne $NULL)
    {
        return $commandName
    }
    
    $customCommandContainerPath = $Context.GetWellKnownContainerPath("CustomCommands")
    $guidByte = (New-Object "System.Guid" $commandID).ToByteArray()
    $guidHexString = [Softerra.Adaxes.Utils.Transform]::ToRfc2254HexString($guidByte)
    
    $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
    $searcher.SearchParameters.PageSize = 500
    $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchParameters.BaseObjectPath = $customCommandContainerPath
    $searcher.SearchParameters.Filter = "(&(objectClass=adm-CustomCommand)(adm-CustomCommandID=$guidHexString))"
    $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    
    $searcherResult = $searcher.ExecuteSearch()
    $result = $searcherResult.FetchAll()
    $searcherResult.Dispose()
    
    if ($result.Count -ne 0)
    {
        $command = $Context.BindToObject(($result[0]).AdsPath)
        $commandName = $command.Get("name")
        $customCommandHashTable.Add($commandID, $commandName) | Out-Null
        return $commandName
    }
    
    return $NULL
}

function GetObjectType($objectTypeGuid, $customCommandHashTable)
{
    $schema = [Softerra.Adaxes.Directory.AdmServiceSchemaFactory]::Schema
    $objectType = $schema.TryGetObjectClass($objectTypeGuid)
    
    if ($objectType -ne $NULL)
    {
        return $objectType.CommonName
    }
    
    $atributeType = $schema.TryGetAttributeType($objectTypeGuid)
    if ($atributeType -ne $NULL)
    {
        return $atributeType.AdminDisplayName
    }
    
    $extendedRights = $extendedRightsGuid[$objectTypeGuid]
    if ($extendedRights -ne $NULL)
    {
        return $extendedRights
    }
    
    $commandName = FindCustomCommandName $objectTypeGuid $customCommandHashTable
    if ($commandName -ne $NULL)
    {
        return "Execute '$commandName'"
    }

    return $objectTypeGuid
}

Function Get-TrusteeName ($trusteeSid, $trusteeDomain)
{
    switch ($trusteeSid)
    {
        "S-1-5-10"
        {
            return "Self"
        }
        "S-1-5-11"
        {
            return "Authenticated Users"
        }
        "S-1-9-1"
        {
            return "Owner"
        }
        "S-1-9-2"
        {
            return "Manager"
        }
        "S-1-9-3"
        {
            return "Secretary"
        }
        "S-1-9-2"
        {
            return "Assistant"
        }
        default
        {
            # Find the trustee in AD
            if ([System.String]::IsNullOrEmpty($trusteeDomain))
            {
                $searcher = $Context.BindToObject("Adaxes://rootDSE")
                $searcher.VirtualRoot = $True
            }
            else
            {
                $searcher = $Context.BindToObject("Adaxes://$trusteeDomain/rootDSE")
                $searcher.VirtualRoot = $False
            }
            $searcher.SearchFilter = "(objectSid=$trusteeSid)"
            $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
            $searcher.PageSize = 500
            $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

            try
            {
                $searchResultIterator = $searcher.ExecuteSearch()
                $searchResults = $searchResultIterator.FetchAll()

                if (($searchResults.Length -eq 0) -or ($searchResults.Length -gt 1))
                {
                    return $trusteeSid
                }
                else
                {
                    $name = $Context.GetDisplayNameFromAdsPath($searchResults[0].AdsPath)
                    return $name
                }
            }
            finally
            {
                # Release resources
                if ($searchResultIterator){ $searchResultIterator.Dispose() }
            }
        }
    }
}

# Get effective Security Role Assignments for the target object
try
{
    $effectiveRoleAssignments = $Context.TargetObject.GetEx("adm-EffectiveRoleAssignments") 
}
catch
{
    $effectiveRoleAssignments = $NULL
    $reportHeader += "No Effective Roles for " + $Context.TargetObject.Get("name") # TODO: modify me
}

# Build the report
if ($effectiveRoleAssignments -ne $NULL)
{
    $trustees = @{}
    foreach ($assignmentDN in $effectiveRoleAssignments)
    {
        $assignment = $Context.BindToObjectByDN($assignmentDN)
        $trusteeName = Get-TrusteeName $($assignment.Trustee) $($assignment.TrusteeDomain)
        if (-not($trustees.ContainsKey($trusteeName)))
        {
            $htmlTableBuilderNew = New-Object "System.Text.StringBuilder"
            $htmlTableBuilderNew.Append(@"
<h4><b>$trusteeName</b></h4><br/>
<table border="1" width="100%%">
    <tr>
        <th>Security Role Name</th>
        <th>Access Mask</th>
        <th>Object type</th>
        <th>Access Type</th>
        <th>Applies to</th>
    </tr>
    
"@)
            $trustees.Add($trusteeName, $htmlTableBuilderNew)
        }

        $roleDN = $assignment.Get("adm-AssignmentRole")
        $role = $Context.BindToObjectByDN($roleDN)
        $rolePermissions = $role.Permissions
        $permissionCount = $rolePermissions.Count
        $htmlTableBuilder = $trustees[$trusteeName]
        $htmlTableBuilder.Append("<TR><TH ROWSPAN=$permissionCount>" + $role.Get("name") + "</TH>")

        # Get permissions
        for ($i = 0; $i -lt $rolePermissions.Count; $i++)
        {
            if($i -ne 0)
            {
                $htmlTableBuilder.Append("<TR>")
            }
                
            $permissionEntry = $rolePermissions.GetObject($i)
                
            # Applies to
            $inheritedObjectTypeGuid = $permissionEntry.InheritedObjectType
                
            if ($inheritedObjectTypeGuid -eq $NULL)
            {
                $appliesTo = "<TD>All</TD>"
            }
            else
            {
                $inheritedObjectTypeName = GetObjectType $inheritedObjectTypeGuid $customCommandHashTable
                if ($inheritedObjectTypeName -ine $targetObjectClass)
                {
                    continue
                }

                $appliesTo = "<TD>" + $inheritedObjectTypeName + "</TD></TR>"
            }

            # Access Mask
            $accessMask = $permissionEntry.AccessMask.ToString()
            $htmlTableBuilder.Append("<TD>$accessMask</TD>")
                
            # Object Type
            $objectTypeGuid = $permissionEntry.ObjectType
                
            if ($objectTypeGuid -eq $NULL)
            {
                $htmlTableBuilder.Append("<TD>All</TD>")
            }
            else
            {
                $objectType = GetObjectType $objectTypeGuid $customCommandHashTable
                $htmlTableBuilder.Append("<TD>" + $objectType + "</TD>")
            }
                
            # Access Type
            if ($permissionEntry.AccessType -eq "ADM_PERMISSION_TYPE_ALLOW")
            {
                $htmlTableBuilder.Append("<TD>Allow</TD>")
            }
            else
            {
                $htmlTableBuilder.Append("<TD>Deny</TD>")
            }

            $htmlTableBuilder.Append($appliesTo)
        }
    }
    foreach ($trustee in $trustees.Keys)
    {
        $reportHeader += $trustees[$trustee].ToString()
        $reportHeader += "</table><br/>"
    }
}

$htmlBody = $reportHeader + $reportFooter

# Send mail
$Context.SendMail($to, $subject, $NULL, $htmlBody)


Comments ( 0 )
No results found.
Leave a comment