- A tool completly written in PowerShell.
- A tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory .
- Scan System access control lists (SACLs).
It has the following features:
- View HTML reports of DACLs/SACLs and save it to disk.
- Export DACLs/SACLs on Active Directory objects in a CSV format.
- Connect and browse you default domain, schema , configuration or a naming context defined by distinguishedname.
- Browse naming context by clicking you way around, either by OU’s or all types of objects.
- Report only explicitly assigned DACLs/SACLs.
- Report on OUs , OUs and Container Objects or all object types.
- Filter DACLs/SACLs for a specific access type.. Where does “Deny” permission exists?
- Filter DACLs/SACLs for a specific identity. Where does "Domain\Client Admins" have explicit access? Or use wildcards like "jdoe".
- Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects?
- Skip default permissions (defaultSecurityDescriptor) in report. Makes it easier to find custom permissions.
- Report owner of object.
- Compare previous results with the current configuration and see the differences by color scheme (Green=matching permissions, Yellow= new permissions, Red= missing permissions).
- Report when permissions were modified
- Can use AD replication metadata when comparing.
- Can convert a previously created CSV file to a HTML report.
- Effective rights, select a security principal and match it agains the permissions in AD.
- Color coded permissions based on criticality when using effective rights scan.
- List you domains and select one from the list.
- Get the size of the security descriptor (bytes).
- Rerporting on disabled inheritance .
- Get all inherited permissions in report.
- Powershell 2.0 or above
- PowerShell using a single-threaded apartment
- Reporting SACLs requires Active Directory Powershell module