Tip: ADACLScanner helps to audit the Active Directory

Especially in larger and above all older Active Directory environments, a large number of authorizations and delegations accumulate over time. These often include authorizations with orphaned SIDs, for example if the user has already been deleted but the ACL still exists. Many people are familiar with these orphaned SIDs from file servers and their authorization structure.

The script "ADACLScanner" by Robin Granberg can be used to analyze and audit the permissions within the Active Directory. The ACACLScanner is a PowerShell script that can be easily operated via GUI or shell after some training.

Here is an overview of the GUI:

A report of the authorizations in the Active Directory can be output as an HTML, CSV or Excel document. Here is an example of the HTML report:

It is quite practical that a scan can be exported to a CSV file and later compared with a new scan. This means that changes to authorizations and delegations are quickly noticed. Here is an example where the user "Support" has been given full access to an OU, which was not yet the case in the previous scan:

Even better are the predefined templates with the standard settings of the Active Directory, so that, for example, changes to the standard can be tracked. This is a good starting point, especially in older environments:

For servers in German, however, the templates have to be created manually, because the template contains the English names, here is an example:

However, with a little "search & replace" this is quickly resolved. Since ADACLScanner can also be called directly from the Powershell with appropriate parameters, the tool is particularly suitable for auditing the Active Directory. With a few adjustments to the script, changes to the authorizations compared to the template can also be sent by e-mail on a weekly basis.

Here is a good overview of how ADACLScanner can be used: