Tuesday, April 16, 2024

Powershell Active Directory Permissions Report

 Problem: You need to find out what kinds of access a user or group has in your *GIANT* Active Directory environment. Maybe not so giant, but still.

Cause: Active Directory permissions reports are a pain to build and often get farmed out to third party vendors and you don't want to or can't get said reports to make them pretty.

Resolution: Use my script. What it does: When run in powershell (only tested in 5.1 but should hopefully work in 7.2/7.4), the script finds the AD Forest that the current computer is a part of, gets the domains, scans for objects (of the types you want), and then gets ALL permissions, optionally then filtering them for a user or group. You can even find out what a person *could* do by also including their group membership - this is often a hidden weakness because you can't see anything with the user listed directly. I hope you find this helpful, it took me a while to get right.


Sample input: .\ActiveDirPermsReport.ps1 -UserOrGroup hornerit -ObjectsToScan OUs

Sample output:

Tuesday, March 19, 2024

Azure Automation Hybrid Runbook PSPrivateMetadata missing

Problem: You have a Hybrid Runbook Worker configured with PowerShell 7.2 connected to Azure Automation and a runbook fails to find the Job ID or cannot find the PSPrivateMetadata variable.

Cause: In PowerShell 7.2, it treats the PSPrivateMetadata as an environment variable, so it is in the ENV path.

Resolution: if your 7.2 runbook needs the PSPrivateMetadata, just replace it with $ENV:PSPrivateMetadata. Note that with PS 5.1, you would often get the GUID as $PSPrivateMetadata.JobId.Guid...when you switch to 7.2, it supplies the guid as a string so you only need $ENV:PSPrivateMetadata to get the job id.