-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-ReplicatingDirectoryPermissions.ps1
52 lines (42 loc) · 2.03 KB
/
Get-ReplicatingDirectoryPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Import-Module ActiveDirectory
$rootdse = Get-ADRootDSE
# 'Replicating Directory Changes' and 'Replicating Directory Changes All' have the same rightsGUID
# so we check only the first one
$replicationPermission = 'Replicating Directory Changes'
$replicationAllPermission = 'Replicating Directory Changes All'
$replicationFilteredSet = 'Replicating Directory Changes in Filtered Set'
# look for rightsGUID
$repl = (Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(DisplayName=$replicationPermission))" -Properties rightsGUID).rightsGuid
$replAll = (Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(DisplayName=$replicationAllPermission))" -Properties rightsGUID).rightsGuid
$replFiltered = (Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter "(&(objectclass=controlAccessRight)(DisplayName=$replicationFilteredSet))" -Properties rightsGUID).rightsGuid
# Get the ACL on the domain object to find the objects with 'Replicating Directory Changes' permission
$domainDN = (Get-ADDomain).DistinguishedName
$aclOnDomain = Get-ACL "AD:$domainDN"
"Replicating Directory Changes:"
[System.Collections.Generic.List[PSObject]]$dcSyncPermissionsArray = @()
$aclOnDomain.Access | Where-Object { $_.ObjectType -eq $repl -or $_.ObjectType -eq $replAll -or $_.ObjectType -eq $replFiltered } | ForEach-Object {
switch ($_.ObjectType ) {
$repl {
$permission = $replicationPermission
break
}
$replAll {
$permission = $replicationAllPermission
break
}
$replFiltered {
$permission = $replicationFilteredSet
break
}
Default {
$permission = $null
break
}
}
$object = [PSCustomObject][ordered]@{
IdentityReference = $_.IdentityReference
Permission = $permission
}
$dcSyncPermissionsArray.Add($object)
}
return $dcSyncPermissionsArray