What is the state of your delegation?
Have you a documented and recent report over the permissions in your Active Directory?
Have you granted permissions on the relevant OU's in the past and left it like this ever since??
Maybe it’s time to take a look again to see what’s actually delegated in Active Directory?
Things you probably find when re-visiting the permissions:
What to do?
Every Active Directory should have a documented delegation model that includes the permissions set for the data in Active Directory.I'm not saying you should type down every single permission on every object, but the permissions that is needed for you organization to be able to perform their given tasks.
Here's a simple example of how you could document Helpdesk's permissions in AD:
To verify that the permissions in Active Directory is reflecting the need of you organization you have to go through every OU in your Active Directory where permissions is modified.
It's usually a quite daunting task to click your way through the directory tree to get control over the permissions. For every OU or any object for that matter there are at least 4 clicks to reach the Advanced Security Settings tab, which is often the required view, and if you got a large OU structure that could take a while.
AD ACL Scanner
To simplify the work of creating and documenting the delegation model in Active Directory I have written a tool in PowerShell with a GUI.
This tool creates reports of the access control list for all of your Active Directory objects. With these reports you can see what/where and when permissions have been set.
To run the script you need at least PowerShell 2.0 and Windows 7/Windows Server 2008, (Windows Server 2003 with Limited functionality).
Enabled unsigned scripting:
If you are not local admin and cannot set it on your machine you can set it for your profile:
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
You do not need Powershell Module for Active Directory.
To create a report for an OU.
This is an example of a report:
By default you will only get the selected OU, but if you like to list all sub OU's you can clear the One Level check box. Be aware that it can take a long time to though a large OU structure.
To get the date when the permissions where modified check the Replication Metadata check box. This will add a column to the report with the latest change of the permissions on each object in the report.
This is an example of a report with the date when the access control list was modified.
To browse all objects, click All Objects in the Browse Options box. This is necessary when you would like to get the permissions on another object like a user for example. Then you also have to select All Objects in the Report Objects box too.
If you like to create a report of the whole domain I strongly suggest you select CSV file in the Output Options since it will take a long time to go through all OUs and create a HTML table for it. If you select CSV file it will be much faster and you can convert it to a HTML report afterwards in the Additional Options. You can even use it for comparison.
The Power of AD ACL Scanner
The cool thing with AD ACL Scanner is that you can compare the current state with a previous result. If you select to create a CSV file of the report you can use that to compare the current state with this file and you will get a report of what is missing or what is added.
This is an example of a comparison report:
Another nice feature is the filtering feature.
Here's an example of a report with filtering:
Go ahead and download AD ACL Scanner script from Codeplex:
Go ahead and explore permissions in AD!
I encourage you to get to know your permissions in AD and starts to document it.
WOW, great PS Tool.
Thank you so much Robin.
Very Nice Robin ! Thanks
Uhm how to start the GUI ? Thx !
You need to have at least PowerShell 2.0.
Type $PSVersionTable and press Enter, that will give you the PSVersion.
To run scripts you need to modify the ExecutionPolicy:
Then run this command in the same folder as the script.
Thanks, Robin for you quick response !
Works fine !!
Another great achievement. Amazing stuff :-)
Thanks a lot!
Hi Robin, is it possible to connect to a remote domain. I am trying but it keeps defaulting back to the domain I am in?
Under "Select naming context" select Custom and type the naming context or domain name of your domain in the Naming context field. Then press connect.
This requires an incoming trust since you cannot type your credentials anywhere.
Really nice tool...thanks for sharing it with all AD community.
I just downloaded your tool and trying to run from my PS version 3.0 but the problem is that when I select "Run Scan" the results opens up in notepad and is blank.
I have confirmed the executionpolicy is set to "unrestricted". Only thing I've noticed is that when I run the tool in PS console, I get the option to [D] Do not run [R] Run once [S] Suspend so I selected [R] which is my only obvious option.
Can you help?
Hi H Kang,
Do you get any errors in the PS console window?
If you have selected HTML report as output the tool will create a .hta file in your profile's %temp% folder. Go to %temp% and see if you have a ACLHTML.hta file and that it's associated with mshta.exe (Microsoft HTML Application host).
thank you for your prompt response.
To answer your question: No errors in the PS console window. Yes, I had selected HTML report in the tool and cofirmed there is an ACLHTML.hta file created in my profile's %temp% directory. When I double clicked on this file, it opens a blank notepad file... this file is showing as "html application" in the extension column in the directory but still opens up as notepad document. so I reassociated this file to MS Word so now it opens up in MS Word document and the html content is displaying properly. Strange but now I get a readable report.