AD ACL Scanner
The AD ACL Scanner is a GUI tool that will report on delegated permissions to objects in Active Directory.
Delegated AD permissions report
Audit who has permissions to what
Find insecure AD permissioms
Search and filter AD ACLSDownload Free Trial
- Find users that have full control permissions
- Easily find users that can change passwords
- Easily search and filter the ACL report
- Audit delegated permissions in Active Directory
- Export DACLs/SACLs on Active Directory objects to a CSV file
- You will need permission to view the ACL on AD objects
- Site License
How to Use the AD ACL Scanner Tool
1. Click on AD ACL Scanner from the management tools page.
2. Click Run to scan the entire domain or click the browse button to choose an OU.
By default, the AD ACL Scanner will display the following columns.
- Object Path
- Type (Deny or Allow)
- Account Name
- Applies To
- Is Inherited
- Object Type (Optional)
- Account Display Name (Optional)
- Account SID (Optional)
- Object Owner (Optional)
- Account Type (Optional)
- Applies To Direct Child Only (Optional)
3. Filter the ACL Report
The report is going to display a lot of details you will want to use the search or the filter editor to find specific permissions. There are some included filters to quickly filter the report.
In the above screenshot, I clicked the Password box to filter the results. This now shows all objects that have password in the Permissions column. To further filter the results I will click the “Account Name” column and select specific accounts or groups. In the screenshot below I can see that the “it_manage_users” group has permission to change passwords.
You can also group the results by any column. In the screenshot below, I filtered for “Full Control” permissions and then grouped the results by the “Account Name” column.
You can also create your own filters. Right click any column and select “Filter Editor”. You can create advanced filters to look for very specific permissions. In this example, I’m looking for any permissions that contain telephone and the group name contains adpro (my domain name).
To export the report click the export button.