The goal of this PowerShell function is to create a report of permissions assigned to objects in Active Directory in much the same way as DsRevoke.

The names for extended rights and object types are read from the schema allowing the script to display friendly names.


Property Description
Name The name of the Object; by default this will be an OU, but I made this configurable (see examples).
DN The DN of the Object; equivalent to Object (DsRevoke)
ObjectClass Object class
SecurityPrincipal The User or Group (or Computer) the Access Control Entry is for; used as the search using DsRevoke
AccessType Allow or Deny; equivalent to ACE Type
Permissions Same as Permissions list in DsRevoke
AppliesTo What the ACE applies to; equivalent to “ACE inherited by all child objects” entry
AppliesToObjectType The object class the ACE applies to; equivalent to “ACE inherited by all child objects of Class …”
AppliesToProperty The specific property or Property Set an ACE applies to, or the Extended Right an ACE grants (if defined)
Inherited True if the Access Control Entry was inherited. Only applies with -Inherited switch.

Usage examples

Standard output (reporting on organizational units in the current domain):

Format Table:

Store in a variable:

Export to CSV:

Reporting on User objects:

Reporting on a sub-OU:

Reporting on contacts in a sub-OU:

Using a custom LDAP filter:

Including Inherited entries:


Leave a Reply

Your email address will not be published. Required fields are marked *