Problem: You need to find out what kinds of access a user or group has in your *GIANT* Active Directory environment. Maybe not so giant, but still.
Cause: Active Directory permissions reports are a pain to build and often get farmed out to third party vendors and you don't want to or can't get said reports to make them pretty.
Resolution: Use my script. What it does: When run in powershell (only tested in 5.1 but should hopefully work in 7.2/7.4), the script finds the AD Forest that the current computer is a part of, gets the domains, scans for objects (of the types you want), and then gets ALL permissions, optionally then filtering them for a user or group. You can even find out what a person *could* do by also including their group membership - this is often a hidden weakness because you can't see anything with the user listed directly. I hope you find this helpful, it took me a while to get right.
https://github.com/hornerit/powershell/blob/master/Get-ActiveDirPermsReport.ps1
Sample input: .\ActiveDirPermsReport.ps1 -UserOrGroup hornerit -ObjectsToScan OUs
Sample output:
