stackoom
  简体   繁体   中英

Efficiently querying the Windows Active Directory for delegated access rights using Powershell

 原文  2019-08-29 19:35:09       powershell/ active-directory

Question

For auditing purposes we want to query the Active Directory to determine whether higher risk delegated access rights are assigned via OUs, Groups or Users.

We developed a Powershell script which does exactly that, however, we are running into performance issues and we would like to optimize the script. 

$objectList = (Get-ADObject -Filter 'ObjectClass -eq "organizationalUnit" -or ObjectClass -eq "group" -or ObjectClass -eq "user"')

ForEach($object in $objectList){
    $delegated_rights += (Get-Acl -Path "AD:\$object" |
         Select-Object -ExpandProperty Access).Where({($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000' <# All #>`
         -or $_.objectType.ToString() -eq 'bf967aba-0de6-11d0-a285-00aa003049e2' <# User #>`
         -or $_.objectType.ToString() -eq '00299570-246d-11d0-a768-00aa006e0529' <# User-Force-Change-Password #>`
         -or $_.objectType.ToString() -eq 'bf967a9c-0de6-11d0-a285-00aa003049e2' <# Group #>`
         -or $_.objectType.ToString() -eq 'f30e3bbe-9ff0-11d1-b603-0000f80367c1' <# GP-Link #>`
         -or $_.objectType.ToString() -eq 'f30e3bbf-9ff0-11d1-b603-0000f80367c1' <# GP-Options #>`
         -or ($_.objectType.ToString() -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2'-and $_.inheritedObjectType -eq 'bf967a9c-0de6-11d0-a285-00aa003049e2') <# Member in combination with Group #> )}) | 

         Select-Object @{name='Type';expression={'Object'}}, `
                       @{name='DistinguishedName';expression={$object}}, `
                       @{name='objectTypeName';expression={$schemaIDGUID.Item($_.objectType)}}, `
                       @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `
                       *
    }

On larger Active Directories the above code takes too long to perform. How can we improve the logic to make it more efficient?

1 answers

solution1
 0  2019-08-29 19:55:33

If this works exactly as you need it but is just slow you might want to look at trying a powershell workflow, which will allow for a parallel foreach. This is also probably a micro optimization at best but it might not hurt to try making all of those strings into an array and using -contains against $_.objectType.ToString(), could shave off some time.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Active Directory Querying with PowerShell Powershell querying users in Active Directory Effective Access Active Directory Object Using PowerShell PowerShell throws “access is denied” exception when using Azure Active Directory authentication to Windows 10 Powershell check if user is local-user and have admin rights from username and password on local windows machine (Not active directory) Powershell access lists in Active Directory Querying Active Directory user information using Powershell - seemingly equivalent syntax, different results? Installing the Active Directory PowerShell Module on Windows 10 Functioning of Azure Active Directory Module for Windows PowerShell install Active Directory module powershell for windows 10
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM