SOLVED

Reporting Per ACE Per User Permission on AD Objects

Highlighted
Frequent Contributor

I have a requirement where i have to find out for few user accounts what all permissions do they have on/in the AD forest-domain,

I intend run a check that touches ntsecuritydescriptor attribute on every object in the domain and if the username does exists on the object in the ACEs only those should be printed on the screen or exported to excel for even better sorting when checking permissions for multiple users,

I need your help on this, i want the data to 1 row should show object DN (for which ACE is interpreted) what kind of right/property/permission it is, is it inherited, is it the explicit / implicit entry, i mean after generating this output there should be no need to look at any other report using any other tool

1 Reply
Highlighted
Solution

Yes i am now trying AdAclScanner powershell script at this point this tool has both GUI and commandline options

.\ADACLSCAN.ps1 -Base "DC=XX,DC=com" -Filter "(&(objectclass=* or AdminCount=1 or whatever))" -Scope subtree -EffectiveRightsPrincipal ALICE  -Output HTML -Show