Find Users with Delegation Permission to Reset Passwords

To get a list of Active Directory users who have delegation permissions to reset the password of other users, you can query the Access Control Entries (ACEs) of the Active Directory objects. Specifically, you look for permissions granted for the Reset Password operation.

Script Explanation:

1. Get Security Descriptor:

   • For each user in Active Directory, the script retrieves the security descriptor (Get-ACL) to examine permissions.

2. Identify Reset Password Delegation:

   • Checks if the ActiveDirectoryRights include ExtendedRight.

   • Validates the ObjectType GUID for the Reset Password right: 00299570-246d-11d0-a768-00aa006e0529.

3. Collect and Display Results:

   • Collects all users who have the Reset Password permission on other users.

   • Outputs the results in a formatted table and optionally exports them to a CSV file.

4. Domain Scope:

   • The script queries all users within the domain specified by Get-ADDomain.

Notes:

• Permissions: Ensure you have appropriate permissions to query the security descriptors in Active Directory.

• Performance: If your directory has many users, this script might take time. Consider limiting the scope by modifying the SearchBase or Filter parameters in Get-ADUser.

# Import Active Directory module

Import-Module ActiveDirectory

# Specify the domain and the root path

$Domain = (Get-ADDomain).DistinguishedName

# Get all user objects in the domain

$Users = Get-ADUser -Filter * -SearchBase $Domain

# Initialize an array to store results

$DelegatedUsers = @()

# Loop through each user object

foreach ($User in $Users) {

    # Get the security descriptor of the user

    $ACL = Get-ACL -Path ("AD:\" + $User.DistinguishedName)

    # Check for delegation permissions

    foreach ($Access in $ACL.Access) {

        if (($Access.ActiveDirectoryRights -match "ExtendedRight") -and 

            ($Access.ObjectType -eq "00299570-246d-11d0-a768-00aa006e0529")) {

            # Add the user with permissions to the results

            $DelegatedUsers += [PSCustomObject]@{

                UserWithPermission = $Access.IdentityReference

                TargetUser         = $User.SamAccountName

                Permission         = "Reset Password"

            }

        }

    }

}

# Output results

if ($DelegatedUsers.Count -gt 0) {

    $DelegatedUsers | Format-Table -AutoSize

    # Optional: Export results to a CSV file

    $DelegatedUsers | Export-Csv -Path "C:\Path\To\DelegatedUsers.csv" -NoTypeInformation

    Write-Host "Results exported to C:\Path\To\DelegatedUsers.csv"

} else {

    Write-Host "No users found with delegation permissions to reset passwords."

}