AD ACL Scanner

View Delegated Permissions
in Active Directory

The AD ACL Scanner is a GUI tool that makes it easy to view delegated permissions in Active Directory.
Report and export who has what delegated rights, audit permissions and ensure compliance.

Download Free Trial

Key Features

Easily Create Delegated Permission Reports

Do you know which users and groups can reset passwords or delete objects in Active Directory?
Scan all domain objects or select specific OUs, search, filter and export reports.

Password Permissions

See which users or groups can reset passwords in Active Directory.

Full Control

Find out which users or groups has full control and to which objects in AD.

Write Permissions

Report on which objects have the write permission.

Everyone Group

Check and see if the Everyone group is in use and its permissions.

Scan OUs

Scan all OUs or use the browse button to select specific OUs.

Export DACLs/SACLs

Export DACLs/SACLs on Active Directory objects to a CSV file.

Filter Permissions

Filter the permissions column to sort or find specific user rights.

Search

Use the search option to find specific users permissions or objects.

Download Free Trial

How Does it Work?

Step 1. Click on AD ACL Scanner from “Security Tools” page.

Step 2. Click Run to scan the entire domain or click the browse button to choose an OU.

By default, the AD ACL Scanner will display the following columns.

  • Object Path
  • Type (Deny or Allow)
  • Account Name
  • Permissions
  • Applies To
  • Is Inherited
  • Object Type (Optional)
  • Account Display Name (Optional)
  • Account SID (Optional)
  • Object Owner (Optional)
  • Account Type (Optional)
  • Applies To Direct Child Only (Optional)

Step 3. Filter the ACL Report

The report is going to display a lot of details you will want to use the search or the filter editor to find specific permissions. There are some included filters to quickly filter the report.

In the above screenshot, I clicked the Password box to filter the results. This now shows all objects that have password in the Permissions column. To further filter the results I will click the “Account Name” column and select specific accounts or groups. In the screenshot below I can see that the “it_manage_users” group has permission to change passwords.

You can also group the results by any column. In the screenshot below, I filtered for “Full Control” permissions and then grouped the results by the “Account Name” column.

You can also create your own filters. Right click any column and select “Filter Editor”. You can create advanced filters to look for very specific permissions. In this example, I’m looking for any permissions that contain telephone and the group name contains adpro (my domain name).

To export the report click the export button.

Getting Started is Seriously Simple!
Try it for Yourself

Download Free Trial Schedule Demo