- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Robin Granberg, a Microsoft employee, built this useful AD permission analyzer. As you can see in the screenshot below, you don’t really notice that AD ACL Scanner was created with PowerShell. You also don’t need any PowerShell skills to use the tool. However, if you want to work with PowerShell to analyze AD permissions, you might find useful code in this somewhat lengthy “PowerShell script.”
AD ACL Scanner
The built-in AD tools are good for setting permissions. However, if you want to get an overview of the Active Directory permission structure, you usually need an AD reporting tool. The advantage of AD ACL Scanner is that it specializes in listing AD permissions without distracting you with all the bells and whistles of the more sophisticated AD reporting tools. AD ACL Scanner is very straightforward to use, and (in most cases) you will have your AD permissions report after a few clicks.
To execute the tool, you can right-click it and then select Run with PowerShell. If you run the script this way on a Windows 10 computer, you don’t have to change your PowerShell execution policy to remotesigned or unrestricted, which you have to do if you start the tool from a PowerShell prompt. On a Windows 8.1 machine, you will be asked to change the execution policy if you launch AD ACL Scanner from File Explorer.
Once the GUI is running, you can directly connect to your AD domain; loading the Active Directory PowerShell module is not required. Next, you have to select the AD object for which you want to retrieve the permissions. In AD ACL Scanner’s Advanced section, you can set several options, such as the scan type (DACL or SACL) and the scan depth (OUs, containers, all objects).
I found it very useful that you can skip the default permissions that are automatically set whenever you create a new AD object. This allows you to focus on the permissions that admins have set manually.
AD ACL Scanner generates reports in either CSV or HTML. If you choose the latter, a window with an HTML table will automatically pop up after the tool finishes scanning the directory.
An ACL Report with excluded default permissions
You can also compare CSV reports to generate a list of permission changes. First, you select a previously stored CSV file; then, you run a new scan for the corresponding AD object. AD ACL Scanner will then create a new HTML report that shows the differences.
Comparing Active Directory permissions
In my test, I added permissions for the user test, which the tool correctly displayed in the comparison report. For some reason, it also listed the Everyone group in the report even though I didn’t change its permissions.
Also very useful are the tool’s filters. You can limit the output to either Allow or Deny permissions. You can also list only the permissions that apply to a certain object type, say user or printerQueue, or to only include permissions that have been set for a particular user or group.
I didn’t discuss all of AD ACL Scanner’s features. All in all, I believe the tool will deliver the results you need in most scenarios. What I miss is a feature that shows the PowerShell commands that are used to retrieve the data from Active Directory, so you can use them in your own scripts. Note that you also can’t use AD ACL Scanner on a PowerShell console. Even though that tool has been written in PowerShell, you can only interact with it via its GUI.
This tool is very useful, I found it easy to use and good for the tasks I had.
Exclusion of default permissions can be tricky though, because default permissions are depending on the actual schema that was “in force” when AD object was created. I had an issue with default permissions for TerminalServer attribute that are different on user objects created before Windows Server 2008 Schema was introduced into the forest (described as Cause 3 at https://support.microsoft.com/en-us/kb/2030310#%2Fen-us%2Fkb%2F2030310).
So probably one has to keep in mind that default permissions are not exactly the same for all objects but depend on the date of creation of the object.
In my case I had to develop a PowerShell script to search for all objects with the missing permisions and create them so that they match the default permissions for the current schema version.
Milan, that’s true, the default permission are stored in the Schema and it is also possible to change them. I didn’t test this, but I guess AD ACL Scanner reads the default permissions from the Schema and then removes them from the result table.
Yes Michael, I guess you are right – the tool reads the current schema and than removes defaults from the view.
My comment was just intended to help people who bump into the same obstacle as I did, since there are many AD forests that have objects created before the latest schema was applied and sometimes this creates problems, just like with Terminal Services Licensing.
Hi Michael, first of all thanks for this article, I found this tool really helpful.
For your information AD ACL Scanner is now available at https://github.com/canix1/ADACLScanner and download link at : https://github.com/canix1/ADACLScanner/raw/master/ADACLScan.ps1 (right click and save as).
Paolo, thanks for the tip!