Latest posts by Michael Pietroforte (see all)
- Evernote backup to Dropbox - Tue, Jan 9 2018
- Install PowerShell Core and the Azure module (AzureRM) on a Mac - Tue, Dec 26 2017
- New wiki doc about changing the PowerShell console colors - Thu, Dec 21 2017
Robin Granberg, a Microsoft employee, built this useful AD permission analyzer. As you can see in the screenshot below, you don’t really notice that AD ACL Scanner was created with PowerShell. You also don’t need any PowerShell skills to use the tool. However, if you want to work with PowerShell to analyze AD permissions, you might find useful code in this somewhat lengthy “PowerShell script.”
AD ACL Scanner
The built-in AD tools are good for setting permissions. However, if you want to get an overview of the Active Directory permission structure, you usually need an AD reporting tool. The advantage of AD ACL Scanner is that it specializes in listing AD permissions without distracting you with all the bells and whistles of the more sophisticated AD reporting tools. AD ACL Scanner is very straightforward to use, and (in most cases) you will have your AD permissions report after a few clicks.
To execute the tool, you can right-click it and then select Run with PowerShell. If you run the script this way on a Windows 10 computer, you don’t have to change your PowerShell execution policy to remotesigned or unrestricted, which you have to do if you start the tool from a PowerShell prompt. On a Windows 8.1 machine, you will be asked to change the execution policy if you launch AD ACL Scanner from File Explorer.
Once the GUI is running, you can directly connect to your AD domain; loading the Active Directory PowerShell module is not required. Next, you have to select the AD object for which you want to retrieve the permissions. In AD ACL Scanner’s Advanced section, you can set several options, such as the scan type (DACL or SACL) and the scan depth (OUs, containers, all objects).
I found it very useful that you can skip the default permissions that are automatically set whenever you create a new AD object. This allows you to focus on the permissions that admins have set manually.
AD ACL Scanner generates reports in either CSV or HTML. If you choose the latter, a window with an HTML table will automatically pop up after the tool finishes scanning the directory.
An ACL Report with excluded default permissions
You can also compare CSV reports to generate a list of permission changes. First, you select a previously stored CSV file; then, you run a new scan for the corresponding AD object. AD ACL Scanner will then create a new HTML report that shows the differences.
Comparing Active Directory permissions
In my test, I added permissions for the user test, which the tool correctly displayed in the comparison report. For some reason, it also listed the Everyone group in the report even though I didn’t change its permissions.
Also very useful are the tool’s filters. You can limit the output to either Allow or Deny permissions. You can also list only the permissions that apply to a certain object type, say user or printerQueue, or to only include permissions that have been set for a particular user or group.
I didn’t discuss all of AD ACL Scanner’s features. All in all, I believe the tool will deliver the results you need in most scenarios. What I miss is a feature that shows the PowerShell commands that are used to retrieve the data from Active Directory, so you can use them in your own scripts. Note that you also can’t use AD ACL Scanner on a PowerShell console. Even though that tool has been written in PowerShell, you can only interact with it via its GUI.