Quick Tip – How to compare permissions between two Active Directory Accounts without losing your mind…
The other day I was asked to review a problem which upon first insight appeared to be an issue with two accounts within Active Directory having different permissions applied to them.
Now, normally I would do this quickly using side-by-side comparison in AD Users and computers via the security tab – but due to our domain over the years have a “few” custom security amendments by various admins (some of whom if I ran into now I would kill with a large stuffed bunny) – I took one look at the permissions list and decided that this was not going to be a straight forward task – more to the point it was going to bore the pants off me – and I would probably expire during the process due to intense boredom.
So – I started to think – “was there an easier way to do this?” – so after some thought the following is what I came up with.
I essentially thought – there must be a Powershell command that would allow for me to dump a couple of users permissions to a couple of files; whereby once done – I could use some form of Text comparison tool to analyse the files.
The good news is, that at least at first looks my above thoughts were both correct.
Many of your will have heard of the Quest Active Directory Powershell Extensions (known as the Active Roles Management Shell), which as you might expect add in a number of CMDLets to your base Powershell repository – these contain (amongst other things) a rather helpful command called GET-QADPermission (more on this in the moment).
If you would like to download the Quest extensions they are available for free from this URL (Version 1.3.0): http://www.quest.com/powershell/activeroles-server.aspx– essentially all you need to do is download them to a Machine with Powershell within your domain (not necessarily an Exchange server), install them – and then execute the Command Shell from the Quest Active Directory Tool menu (which will be located in your start menu post installation).
Once installed – the first part of what I needed to achieve was to get a pair of text files each containing the two users permissions – so I used the GET-QADPermissioncmdlet with the following switches:
-Inherited – Grabs all inherited permissions from level level objects (such as OU’s)
-SchemaDefault – Grabs all of the default security descriptor elements for that object
To get the permission set into a text file I piped the output from the above to a text file using the | Out-File switch.
Therefore in the full context of the command my example looked like the following for one of the users:
[PS] C:\>Get-QADPermission -id ann.parker -Inherited -SchemaDefault | Out-File x:\Ann.txt
Which, as you can imagine produced a text file with the security elements for the user “ann.parker” in a text file called “Ann.txt” in the root of “X:\”
The output in my file looked like the following when opened in Windows Notepad (there are of course many more entries):
I then repeated the above for the second user (ensuring that I provided a different name for the Out-File switch).
Now that I had my text files with each users Security Permissions within them, I needed a means to compare them.
I jumped on my old mate “Google” and did a search for “Text File Comparison” and found a rather nice GNU utility called “WinMerge” (which is available from http://winmerge.org/) – which installs very simply and allows for “Side by Side” file comparison (which I am sure a number of other tools do as well – but this is the one that I found which I quite liked (mainly because it installed in 30 seconds, and had me comparing files within 20 seconds).
Using “WinMerge” to compare permissions:
If you have chosen to use WinMerge, after the installation and you have run the program go to the [ File –> Open ] menu –see below
Where you will be presented with the following dialog box:
From the section entitled “Left” – click on the browse button, and navigate to the location (using the open file dialog box) where you have stored the security permissions of your first user when done click OK – you will then be returned to the “Select Files or Folders” dialog box – now click on the “Right” browse button and navigate to your second user which you would like to compare, click ok – you should now see a screen which looks like the following – see below
Click on the OK button (within the “Select Files or Folders” dialog) and you will be presented with a main window which resembles the following. If the files are identical (and therefore have identical permissions) you will be presented with a window and message which looks like the following example – see below
If however the files are different (and therefore the permissions) you will be presented with the window which looks like the following:
As you can see from the above example – the program highlights where missing permissions should be (as the QAD Cmdlet orders permissions identically per user) therefore if there are any additional permission or indeed one that is missing you will see from the Window above it is highlighted in the file.
In my scenario I found that the two accounts in question had exactly the same permissions – in the end I traced the issue to Roaming Profiles on the destination server where the problem was happening – but, I thought that it would be useful to share the method in comparing account permissions at an AD level.
I hope that you find this useful.