├── ADACLScan.ps1 ├── README.md ├── license.md └── src ├── ADACLScan6.0.png ├── ADACLScan7.0_CSVTEMPLATE.png ├── ADACLScan7.0_Compare.png ├── ADACLScan7.0_Permission.png ├── DonateBitCoin.png ├── Group effective permissions.png ├── SaveToExcel.jpg ├── adaclscan_commandline.gif └── effectiverights.gif /README.md: -------------------------------------------------------------------------------- 1 | # AD ACL Scanner 2 | 3 | ## Current version 4 | 5 | **Version: 8.3** 6 | 7 | **26 May, 2025** 8 | 9 | **SHA256:** E7E5E1E9600326E8C9F0E3816A69BAF1D55B9EC26CA6E01ED6F75562E9AE5869 10 | 11 | **Fixed issues** 12 | * Running from CLI does not require "ApartmentState" to be Single-Threaded Apartment (STA). 13 | 14 | **New Features** 15 | * Search with onelevel and set the depth of the search 16 | * Example: 17 | ``` 18 | ADACLScan.ps1 -Base rootdse -SearchDepth 3 -LDAPFilter "(objectClass=OrganizationalUnit)" 19 | ``` 20 | * Get version number of the ntsecuritydescription 21 | * Export defaultsecuritydescriptor with readable permissions 22 | * Skip banner in CLI with -NoBanner 23 | 24 | 25 | 26 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/ADACLScan7.0_Permission.png) 27 | 28 | * From the CLI you can select Target and select RiskyTemplates to scan published certificate templates with "supply in request". 29 | * The default output from CLI is structured and translated 30 | * The default csv file output option is structured and translated and cannot be used for comparing. 31 | * New output option for comparing that is called CSVTEMPLATE from CLI and "CSV Template" in GUI. 32 | * Old CLI output format is produced by using the -RAW switch 33 | 34 | 35 | ## Download 36 | **[Release](https://github.com/canix1/ADACLScanner/releases/latest)** 37 | 38 | ## Donate 39 | Do you appreciate my work and want to buy me a beer? You can donate via PayPal: https://www.paypal.me/canix1 or send Bitcoins to bc1qte7vlwhvrju7msv9hzfytwy7jd9vlmnjfpm0366d62yx4ke89czsavk0hr 40 | 41 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/DonateBitCoin.png) 42 | 43 | ## Description 44 | * A tool completly written in PowerShell. 45 | * A tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory . 46 | 47 | Related blog posts 48 | * [Forensics - Active Directory ACL Investigation](https://blogs.technet.microsoft.com/pfesweplat/2017/01/28/forensics-active-directory-acl-investigation) 49 | * [Take Control Over AD Permissions And The AD ACL Scanner Tool](https://blogs.technet.microsoft.com/pfesweplat/2013/05/13/take-control-over-ad-permissions-and-the-ad-acl-scanner-tool) 50 | 51 | ## History 52 | 53 | Features and fixes https://github.com/canix1/ADACLScanner/wiki/History 54 | 55 | ## Features 56 | * Search with onelevel and set the depth of the search 57 | * Example: 58 | ``` 59 | ADACLScan.ps1 -Base rootdse -SearchDepth 3 -LDAPFilter "(objectClass=OrganizationalUnit)" 60 | ``` 61 | 62 | * Run effective rights report from the command line. 63 | * parameter from command line to get modified date of security descriptor in report. 64 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/effectiverights.gif) 65 | 66 | * Save to excel file without excel installed. Both from UI and command line. Requires ImportExcel PowerShell Module. You can install ImportExcel directly from the Powershell Gallery. 67 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/SaveToExcel.jpg) 68 | 69 | * Command line support. 70 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/adaclscan_commandline.gif) 71 | * Custom search filter for scanning objects. 72 | * Support input from pipeline. You can call ADACLScan.ps1 by sending a distinguishedName via pipeline. 73 | * Added formated synopsis to the script. 74 | 75 | ![](https://github.com/canix1/ADACLScanner/blob/master/src/ADACLScan6.0.png) 76 | ## Feature list 77 | 78 | * Scan linked Group Policy Objects 79 | * View HTML reports of DACLs/SACLs and save it to disk. 80 | * Export DACLs/SACLs on Active Directory objects in a CSV format. 81 | * Export DACLs/SACLs on Active Directory objects in a Excel sheet. 82 | * Connect and browse you default domain, schema , configuration or a naming context defined by distinguishedname. 83 | * Browse naming context by clicking you way around, either by OU�s or all types of objects. 84 | * Report only explicitly assigned DACLs/SACLs. 85 | * Report on OUs , OUs and Container Objects or all object types. 86 | * Filter DACLs/SACLs for a specific access type.. Where does �Deny� permission exists? 87 | * Filter DACLs/SACLs for a specific identity. Where does "Domain\Client Admins" have explicit access? Or use wildcards like "jdoe". 88 | * Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects? 89 | * Skip default permissions (defaultSecurityDescriptor) in report. Makes it easier to find custom permissions. 90 | * Report owner of object. 91 | * Compare previous results with the current configuration and see the differences by color scheme (Green=matching permissions, Yellow= new permissions, Red= missing permissions). 92 | * Report when permissions were modified 93 | * Can use AD replication metadata when comparing. 94 | * Can convert a previously created CSV file to a HTML report. 95 | * Effective rights, select a security principal and match it agains the permissions in AD. 96 | * Color coded permissions based on criticality when using effective rights scan. 97 | * List you domains and select one from the list. 98 | * Get the size of the security descriptor (bytes). 99 | * Rerporting on disabled inheritance . 100 | * Get all inherited permissions in report. 101 | * HTLM reports contain headers. 102 | * Summary of criticality for all report types. 103 | * Refresh Nodes by right-click container object. 104 | * Exclude of objects from report by matching string to distinguishedName 105 | * You can take a CSV file from one domain and use it for another. With replacing the old DN with the current domains you can resuse reports between domains. You can also replace the (Short domain name)Netbios name security principals. 106 | * Reporting on modified default security descriptors in Schema. 107 | * Verifying the format of the CSV files used in convert and compare functions. 108 | * When compairing with CSV file Nodes missing in AD will be reported as "Node does not exist in AD" 109 | * The progress bar can be disabled to gain speed in creating reports. 110 | * If the fist node in the CSV file used for compairing can't be connected the scan will stop. 111 | * Display group members in groups in the HTLM report. 112 | * Present the value of the true SDDL in NTsecurityDescriptor, bypassing Object-Specific ACE merge done when a new instance of the ObjectSecurity class is initialized. 113 | ## System requirements 114 | * Powershell 3.0 or above 115 | * PowerShell using a single-threaded apartment 116 | * Some functions requires Microsoft .NET Framework version 4.0 -------------------------------------------------------------------------------- /license.md: -------------------------------------------------------------------------------- 1 | Ms-PL 2 | Microsoft Public License (Ms-PL) 3 | 4 | This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software. 5 | 6 | 1. Definitions 7 | 8 | The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. 9 | 10 | A "contribution" is the original software, or any additions or changes to the software. 11 | 12 | A "contributor" is any person that distributes its contribution under this license. 13 | 14 | "Licensed patents" are a contributor's patent claims that read directly on its contribution. 15 | 16 | 2. Grant of Rights 17 | 18 | (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. 19 | 20 | (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software. 21 | 22 | 3. Conditions and Limitations 23 | 24 | (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. 25 | 26 | (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. 27 | 28 | (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. 29 | 30 | (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. 31 | 32 | (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement. -------------------------------------------------------------------------------- /src/ADACLScan6.0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/ADACLScan6.0.png -------------------------------------------------------------------------------- /src/ADACLScan7.0_CSVTEMPLATE.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/ADACLScan7.0_CSVTEMPLATE.png -------------------------------------------------------------------------------- /src/ADACLScan7.0_Compare.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/ADACLScan7.0_Compare.png -------------------------------------------------------------------------------- /src/ADACLScan7.0_Permission.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/ADACLScan7.0_Permission.png -------------------------------------------------------------------------------- /src/DonateBitCoin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/DonateBitCoin.png -------------------------------------------------------------------------------- /src/Group effective permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/Group effective permissions.png -------------------------------------------------------------------------------- /src/SaveToExcel.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/SaveToExcel.jpg -------------------------------------------------------------------------------- /src/adaclscan_commandline.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/adaclscan_commandline.gif -------------------------------------------------------------------------------- /src/effectiverights.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canix1/ADACLScanner/9fee459ea2f27e7c1f66c2260ed465f537cf6bf8/src/effectiverights.gif --------------------------------------------------------------------------------