The other day, I encountered an Active Directory-related problem. The security model on the organizational units in this particular domain was quite complicated, arising from the multi-tenant nature of this domain and its "List Object Mode" configuration. (I've talked about List Object Mode before.)
First, a little background. Imagine you're looking at the OUs in Active Directory Users & Computers:
To cut to the chase, there was a problem with the ACL on each individual OU beneath Customers_OU (and there were hundreds!) where an access control entry (ACE) had been applied directly to each OU that allowed "Authenticated Users" the generic read permission. This was essentially undermining the inheritance of permissions from parent object to child object, and allowing an account in Customer1_OU to view the contents of Customer2_OU, and vice versa.
*The siren noise from Kill Bill plays here.*
I'm glossing over some of the details, but basically what needed to happen, was for me to enumerate over each and every one of those hundreds of individual customer OUs, and remove those <not inherited> ACEs.
There was no way I was going to do that by hand, through the GUI.
So I scripted it.
$AllOUs = Get-ADOrganizationalUnit -Filter * `
-SearchBase 'OU=CUSTOMERS_OU,DC=CONTOSO,DC=COM' `
-Properties * -SearchScope OneLevel
Foreach ($OU In $AllOUs)
$ACL = Get-ACL $OU.DistinguishedName
Foreach ($ACE In $ACL.Access)
If (($ACE.IdentityReference -EQ 'NT AUTHORITY\Authenticated Users') -AND `
($ACE.IsInherited -EQ $False))
Set-ACL -AclObject $ACL $OU.DistinguishedName -Verbose
That would have taken hours if done manually. Hours that I'd rather spend playing GTA V.