Q. What Active Directory objects have specified access control entries (ACEs)?

I have scripted DSPerms.bat to return the distinguished names of directory services objects that have access control entries (ACEs) that you specify.

DSPerms.bat uses DSQUERY from the Active Directory command-line tools to retrieve directory service objects, and Dsacls.exe to retrieve ACEs on the object.

The syntax for using DSPerms.bat is:

DSPerms StartNode objectClass "Search Terms1" ["Search Terms2" ... "Search TermsN"]

Where:

StartNode       is the node where the search will start. It can be forestroot, domainroot,                or an object distinguish name.objectClass     is a filter to narrow the search. It can be * (no filtering), or any of the following Classes:

Search TermX are words from a 'fixed' Dsacls output, where 'fixed' refers to the altering of command control characters, and the progagation of previous line data into white space, so as to render the human readable output into computer readable output. If a section of the Dsacls output contained: Inherited to all subobjects Allow Everyone SPECIAL ACCESS READ PERMISSONS LIST CONTENTS then, the 'fixed' output would contain: Inherited to all subobjects Allow Everyone SPECIAL ACCESS {Inherited from parent} Inherited to all subobjects Allow Everyone READ PERMISSONS {Inherited from parent} Inherited to all subobjects Allow Everyone LIST CONTENTS {Inherited from parent} Use ' marks within the double-quoted Search Term to combine words into phrases. A match requires that all words and phrases within the Search Term must be contained in the 'fixed' Dsacls output.

Sample Usage and Console Output:

dsperms "CN=Users,DC=JSIINC,DC=TST" user "'JSIINCDomain Users' 'SPECIAL ACCESS' userAccountControl Inherited parent"NOTE: Using user in objectClass filtered out group and contact, which are both in the Users container."CN=test,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINCDomain Users                          SPECIAL ACCESS for userAccountControl {Inherited from parent}"CN=Guest,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINCDomain Users                          SPECIAL ACCESS for userAccountControl {Inherited from parent}"CN=SUPPORT_388945a0,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINCDomain Users                          SPECIAL ACCESS for userAccountControl {Inherited from parent}

NOTE: DSPerms.bat supports multiple Search Terms, but using a single Search Terms is likely to run faster.DSPerms.bat is VERY resource intensive, and runs a VERY long time.
                    Constrain your search as much as practical, and consider running it during a weekend.

DSPerms.bat contains:

@echo offif {%3}

{} @echo Syntax: DSPerms StartNode objectClass "Search Terms1" ["Search Terms2" ... "Search TermsN"]&goto :EOFsetlocal ENABLEDELAYEDEXPANSION@echo dim iString, oString, objArgument>"%TEMP%DSPerms.VBS"@echo Set objArgument = Wscript.Arguments>>"%TEMP%DSPerms.VBS"@echo iString = objArgument(0) >>"%TEMP%DSPerms.VBS"@echo oString = Replace(objArgument(0), ">"%TEMP%DSPerms.VBS"@echo oString = Replace(oString, ">", "}")>>"%TEMP%DSPerms.VBS"@echo oString = Replace(oString, "&", "and")>>"%TEMP%DSPerms.VBS"@echo oString = Replace(oString, "(", "[")>>"%TEMP%DSPerms.VBS"@echo oString = Replace(oString, ")", "]")>>"%TEMP%DSPerms.VBS"@echo Wscript.echo "*:" ^& oString>>"%TEMP%DSPerms.VBS"set StartNode=%1set class=%2shiftshiftset /a cnt=0set tab=set blank= #set OK=N:ploopif {%1}

{} goto pfinset wrk1=%1shiftset wrk1=%wrk1:"=% # # # # # # # # %blank:~0,50% %blank:~0,50% %blank:~0,50%  %blank:~0,50% #set wrk2=%wrk1:~0,199%set /a cnt=%cnt% + 1set wrk2=%wrk2:'="%call :numbparm %wrk2%set tab=%tab%%np%%wrk2%goto ploop:numbparmset /a np=0:numbparm1if {%1}=={#} goto :EOFset /a np=%np% + 1shiftgoto numbparm1:pfinset hdr=set who=set perm=set inherit=set pwho=set pperm=set pinherit=for /f "Tokens=*" %%a in ('dsquery * %StartNode% -filter "(&(objectClass=%class%))" -attr distinguishedName -L -limit 0') do ( set dn="%%a" for /f "Tokens=* Delims=:" %%s in ('dsacls.exe "%%a"^|findstr /i /V /c:"The command completed successfully"') do (  for /f "Tokens=1* Delims=:" %%y in ('cscript //NOLOGO "%TEMP%DSPerms.VBS" "%%s"') do (   set line=%%z %blank:~0,50% # # #    call :doit  ) ))endlocaldel /q "%TEMP%DSPerms.VBS"goto :EOF:doitset who=%line:~0,50%if "%who%" EQU "" set who=%blank:~0,50%set who=%who:#=%for /f "Tokens=1,2*" %%c in ('@echo %line:~50%') do ( set prm=%%c %%d set inherit=%%e call :perm )goto :EOF:permif "%prm%" EQU "" perm1if "%prm%" EQU "DELETE #" set prm=DELETE&goto perm2set work=%prm:#=%if "%work%" EQU "%prm%" goto perm2:perm1if /i "%who:~0,11%" EQU "Access list" goto :EOFif /i "%who:~0,11%" EQU "Permissions" goto :EOFif "%who:~0,10%" EQU "%blank:~0,10%" goto :EOFset hdr=%who%set who=set prm=set inherit=set pwho=set pprm=set pinherit=goto :EOF:perm2if "%who:~0,10%" EQU "%blank:~0,10%" set who=%pwho%if "%inherit%" NEQ "" set inherit=%inherit:#=%if "%inherit%" EQU "" set inherit=%pinherit%&goto perm3if "%inherit:~0,1%" EQU " " set inherit=%pinherit%&goto perm3:perm3if "%OK%" EQU "Y" If %cnt% EQU 1 call :build2&goto perm4set /a seq=0for /l %%f in (1,1,%cnt%) do call :Build %%f:perm4set pwho=%who%set pprm=%prm%set pinherit=%inherit%goto :EOF:Buildset /a pos=%seq% * 200call set /a np=%%tab:~%pos%^,1%%set /a pos=%pos% + 1call set wrk1=%%tab:~%pos%^,199%%call :build1 %np% %wrk1%set /a seq=%seq% + 1goto :EOF:build1if "%OK%" EQU "Y" If %cnt% EQU 1 goto build2shiftset p1=%1set p1=%p1:"=%set p2=%2set p2=%p2:"=%if "%p2%" EQU "#" set p2=%blank:~0,1%set p3=%3set p3=%p3:"=%if "%p3%" EQU "#" set p3=%blank:~0,1%set p4=%4set p4=%p4:"=%if "%p4%" EQU "#" set p4=%blank:~0,1%set p5=%5set p5=%p5:"=%if "%p5%" EQU "#" set p5=%blank:~0,1%set p6=%6set p6=%p6:"=%if "%p6%" EQU "#" set p6=%blank:~0,1%set p7=%7set p7=%p7:"=%if "%p7%" EQU "#" set p7=%blank:~0,1%set p8=%8set p8=%p8:"=%if "%p8%" EQU "#" set p8=%blank:~0,1%set p9=%9set p9=%p9:"=%if "%p9%" EQU "#" set p9=%blank:~0,1%set OK=Y:build2goto bld%np%:bld1for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld2for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld3for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld4for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld5for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld6for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld7for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld8for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)goto :EOF:bld9for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"^|findstr /I /L /C:"%p9%"') do ( @echo %dn% %hdr% %who% %prm% %inherit%)