Especially in larger and above all older Active Directory environments, a large number of authorizations and delegations accumulate over time. These often include authorizations with orphaned SIDs, for example if the user has already been deleted but the ACL still exists. Many people are familiar with these orphaned SIDs from file servers and their authorization structure.
The script "ADACLScanner" by Robin Granberg can be used to analyze and audit the permissions within the Active Directory. The ACACLScanner is a PowerShell script that can be easily operated via GUI or shell after some training.
Here is an overview of the GUI:
A report of the authorizations in the Active Directory can be output as an HTML, CSV or Excel document. Here is an example of the HTML report:
It is quite practical that a scan can be exported to a CSV file and later compared with a new scan. This means that changes to authorizations and delegations are quickly noticed. Here is an example where the user "Support" has been given full access to an OU, which was not yet the case in the previous scan:
Even better are the predefined templates with the standard settings of the Active Directory, so that, for example, changes to the standard can be tracked. This is a good starting point, especially in older environments:
For servers in German, however, the templates have to be created manually, because the template contains the English names, here is an example:
Mit ein bisschen “Suchen & Ersetzen” ist dies allerdings schnell behoben. Da sich ADACLScanner auch direkt von der Powershell mit entsprechenden Parametern aufrufen lässt, ist das Tool gerade für das Audit des Active Directory geeignet. Mit ein paar Anpassungen am Script lassen sich so auch Änderungen an den Berechtigungen gegenüber dem Template wöchentlich per Mail schicken.
Here is a good overview of how ADACLScanner can be used:
The current version of ADACLScanner can be downloaded here: