Viewing the security set on an Active Directory object is useful for troubleshooting and for security event investigations. Get-ADObjPermissions_ps1 reads your AD schema data, and provides a list of security set with both the setting and the delegate. This does not require admin permissions or any modules to run. It take’s the object’s distinguished name…
Tag: OU permissions
Export and Import Delegated OU Permissions with PowerShell
There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties are flagged as hidden in a file called Dssec.dat, in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When…
Remove Active Directory Delegations
Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise. Removing the delegations for a user or group can be slow, especially if you do it manually. Microsoft has a good article about this process, but none of the methods I found did what I needed. I wanted a script which…
Too many permissions in AD
From MSKB 2001769: When you propagate the permissions on an object such as an organizational unit (OU), group, user, or computer in Active Directory, you may receive the following error: “Unable to save permission changes on ObjectName. A constraint violation occurred.” Cause: This will happen when the Access Control List (ACL) size on the object…