Screenshots
AD ACL Scanner is functional tool that that been written entirely in powershell. It is used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory. It is particularly useful for comparing Access Control Lists using USN from replication metadata rapidly.
Getting started with AD ACL Scanner is relatively straightforward. The app launches a graphical interface without having to install it. You simply call the script file and display the rights in the related interface.
Key Features include:
- View HTML reports of DACLs/SACLs and save it to disk.
- Report only explicitly assigned DACLs/SACLs.
- Report on OUs , OUs and Container Objects or all object types.
- Report owner of object.
- Filter DACLs/SACLs for a specific access type. Where does “Deny” permission exists?
- Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects?
- Filter DACLs/SACLs for a specific identity. Where does "Domain\Client Admins" have explicit access? Or use wildcards such as "jdoe".
- Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects?
- Skip default permissions (defaultSecurityDescriptor) in report.
- Connect and browse you default domain, schema, configuration or a naming context defined by distinguishedname.
- Export DACLs/SACLs on Active Directory objects in a CSV format.
- Compare previous results with the current configuration and see the differences by color scheme.
- Report when permissions were modified.
- Can use AD replication metadata when comparing.
- Can convert a previously created CSV file to a HTML report.
To use AD ACL Scanner effectively, you need to allow script execution in PowerShell on the appropriate PC. The Set-ExecutionPolicy Unrestricted cmdlet allows you to execute any script you need in PowerShell. A word of caution: you should temporarily override this setting and ensure that you restore the default, after running the script.