PowerShell: Clean AD Users’ ACL


While this isn’t strictly Messaging Development, this script is loosely related to a previous script that validates mailbox delegate permissions (by removing references to non-existent accounts).  The same issue that applies to delegates applies to users.  If a user has certain permissions on another account, those permissions are not removed from the account when the user is deleted.  You end up with a duff entry in the ACL of the user.  Now, this isn’t an issue, and has absolutely no adverse effects that I am aware of, but it does mean that in a large environment that has probably been migrated/upgraded a few times, you may have many users with ACLs that have lots of bad references.

So, this PowerShell script can help.  But at this point I must emphasize that you need to test this script yourself, and I’d suggest always using the -WhatIf parameter before running it.  This is potentially a very dangerous script, and while I have done some fairly exhaustive testing on this one, I am far from infallible.  Any responsibility for the running of this script lies entirely with the person running it (as is the case for all other scripts on this blog).

Now that is out of the way…

The script itself is fairly simple. It uses the ActiveDirectory PowerShell module though, so needs the Remote Server Administration Tools installed.  To check whether a user has any invalid permissions:

.\Reset-ADPermissions user.name -WhatIf

If you see any reports of invalid references, then you could run the script without the -WhatIf to actually delete the invalid permissions.

You can also process multiple users simply by piping:

Get-ADUser -Filter ‘Name -like “fred*”‘ | ForEach-Object { .\Reset-ADPermissions $_.SID -WhatIf }

Again, if you want to apply any changes listed, then remove the -WhatIf.

And finally, you can log the output by specifying a log file (which will be appended to, so will work fine for multiple users):

.\Reset-ADPermissions user.name -LogFile “c:\perm_check.log” -WhatIf

Reset-ADPermissions.ps1

Comments (0)

Skip to main content