This project has moved. For the latest updates, please go here.


Rating: No reviews yet
Downloads: 1871
Released: Feb 7, 2017
Updated: Feb 7, 2017 by robing
Dev status: Stable Help Icon

Recommended Download

Source Code ADACLScan4.8.ps1
source code, 512K, uploaded Feb 7 - 1871 downloads

Release Notes

Version 4.8

7 February, 2017

SHA256: 8FCC040FA75E0593372C3F4397F26F0A1B7418A8B69491C08F565F5C566BA6E1

New Features
  • Templates for Windows Server 2016
  • Removed requirement on localization of names on well-known groups and built-in groups.
  • Comparing using SIDs of security principals gives us the true state instead of names that could be modified.
  • Better download windows.

Fixed issues
  • Users could not view permissions due to the collection of attributes that user possibly didn't have access to. (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Removed unnecessary retrieval of ldap attributes. (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Removed unused functions (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Removed duplicated function name (Credit to Kirill Nikolaev, Kaspersky Lab)
  • LoadWithPartialName is deprecated (Credit to Kirill Nikolaev, Kaspersky Lab)
  • A mandatory parameter has a default value (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Fixed unreachable code (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Removed unused variables (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Fixed typo (Credit to Kirill Nikolaev, Kaspersky Lab)

Version 4.7.2

12 January, 2017

SHA256: C1FDC71E46229EA11482D99EBB80CA1A24C0284D3F01FAC618277EA9C91F98F0

New Features

Fixed issues
  • Browsing a container with more than 999 child objects and you will get (Exception calling "SendRequest" with "1" argument(s): "The size limit was exceeded")
  • Updated windows size. Increased height to not render a scroll bar under large screen size.
  • Reduced the window size when it is adapting to smaller screen size.

Version 4.7.0

6 December, 2016

SHA256: 82DDB2263C7969AF5608246560A340CAB997F554CBE989A816A03C98F0E7582F

New Features
  • Improved performance in preparing the scan. Updated function GetAllChildNodes. (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Improved support for connecting via IP-address only.
  • Height of windows adapts to screen size.
  • Better color coded criticality.

Fixed issues
  • Removed unused LDAP attribute in LDAP search

Version 4.6.0

6 October, 2016

SHA256: 2E80D4CD580B9EBD2AFC18FCE3614B386BA16ECEA7C416C81CD133B7361A003F

New Features
  • Display group members in groups in the HTLM report.
  • Present the value of the true SDDL in NTsecurityDescriptor, bypassing Object-Specific ACE merge done when a new instance of the ObjectSecurity class is initialized.
  • Added Active Directory schema version check for Windows Server 2016.
  • Added Exchange Schema Version check for Exchange Server 2016 CU2 and Exchange Server 2016 CU3

Fixed issues
  • Get Forest Info search did not handle return of empty or zero response entries in a correct way
  • HTML and CSV file output option doesn't display HTA

Version 4.5.0

19 June, 2016

SHA256: CDDA9E265995E23F8738A2914E4E05593F692B194C634DF0B4D9FBF1B6DC2298

New Features
  • Added Exchange Schema Version check for Exchange Server 2016 CU1.(Credit to Kirill Nikolaev, Kaspersky Lab)

Fixed issues
  • Heavily improved code for “Skip Default Permissions”. Removed possible memory problem while scanning many objects.
  • Improved code for “Skip Protected Permissions”. One ACE was missing.
  • Null-valued array error while composing the list of domains. (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Null-valued array error when closing domain picker window w/o actually selecting one. (Credit to Kirill Nikolaev, Kaspersky Lab)
  • Updated LDAP filters for getting trusted domains.(Credit to Kirill Nikolaev, Kaspersky Lab)
  • Fixed issues with use of credentials over trusts.
  • Fixed issues with TokenGroups over trust lookup.
  • Removed unused variables.
  • Replaced aliases like %,?,Select,foreach and Sort.
  • Put $null to the left in comparison strings.

Version 4.4.0

16 June, 2016

SHA256: 2803906C909BB7DE7024FEE981BCE6D927A0826215051AEDD088D61C10F9AB97

Fixed issues
  • Errors when scanning objects you don't have read access on.
  • Comparing with template containing forest root failed when connected to child domain.
  • Templates are updated with a more accurate DN.
  • Errors when translating NT Identity fixed.

Version 4.3.0

2 May, 2016

SHA256: 3473DDB452DE7640FAB03CAD3E8AAF6A527BDD6A7A311909CFEF9DE0B4B78333

New Features
  • You can exclude multiple paths, just for each object, select and right click to choose Exclude.

Fixed issues
  • Unresolved security principals was shown as empty instead of SID.
  • Searching for SID's included built-in groups that did not translate before compare.

Version 4.2.0

14 April, 2016

SHA256: F340F6B56F11F879ED8A4C0DDA751FFF9538EE5105B2C0F39C79BED218E985E2:*

Fixed issues
  • The validated write was express as only "Self" in the report.
  • The validated write was never enumerated from the list of ControlAccessRights.

Version 4.1.0

12 April, 2016

SHA256: BE7ECB91AA0F819A1796739B0491CA4691DCBE718410CA8A7F9358B600754B2A

Fixed issues
  • Comparing builtin groups differ from running on DC and domain member.
  • Connecting to custom DC did not collected forest info.

Version 4.0.0

11 April, 2016

SHA256: C72CD69C0E15C1A9A276485FD5073F958B26B1A777928740C67B7E347F38938B

New Features
  • Faster compare of Access Control Lists using USN from replication metadata.
  • Primary directory service API changed to System.DirectoryServices.Protocols (S.DS.P).
  • Connect to custom directory server and port like mounted backup or snapshot of NTDS.dit.
  • Support for scanning AD LDS Instances.
  • Name translation of AD LDS Identity references in security descriptor.
  • Option to connect using credentials.
  • Export defaultSecurityDescriptor.
  • Compare DefaultSecurityDescriptor.
  • Download OS specific csv templates for DefaultSecuritydescriptor.
  • Connection Information tab provides information about the current connection.
  • Resizable Window

Fixed issues
  • Change the column name in the header from "OU" to "Object".
  • Display forest information like FFL,DFL,Schema Version, Exchange and Lync Schema version did not work due to wrong formatting of attributes.
  • Solved problem with returning schema version information about Exchange and Lync.
  • Minor improvements in the GUI.

Version 3.2.0

7 September, 2015

SHA1: 61CB4D160B4003FDF51FFACDB777FF0DC28D83D1

New Features
  • Report single or all classSchema objects default security descriptor.
  • Option to select between DACL or SDDL output of default security descriptors.
  • Displays forest information like FFL,DFL,Schema Version, Exchange and Lync Schema version.

Version 3.1.0

2 September, 2015

SHA1: EBBB7083BE00108B14B661016A0D049EFF092971

New Features
  • Option to show objectClass of objects reported
  • Option skip ACE's for "Protect object from accidental deletion"
  • Error control on .Net Framework CLRVersion

Version 3.0.1

10 July, 2015

Fixed issues
  • Reporting on modified default security descriptors in Schema did not work in Windows 10 or Windows Server Technical Preview 2.

Version 3.0

9 July, 2015

New Features
  • You can take a CSV file from one domain and use it for another. With replacing the old DN with the current domains you can resuse reports between domains. You can also replace the (Short domain name)Netbios name security principals.
  • Reporting on modified default security descriptors in Schema.
  • Verifying the format of the CSV files used in convert and compare functions.
  • When comparing with CSV file Nodes missing in AD will be reported as "Node does not exist in AD"
  • The progress bar can be disabled to gain speed in creating reports.
  • If the fist node in the CSV file used for comparing can't be connected the scan will stop.

Fixed issues
  • Only the first node in the CSV file was used in the comparison the rest was skipped.
  • If a node in the CSV file did not exist in AD, the comparison failed.

Version 2.2.2

7 July, 2015

Fixed issues
  • If you run AD ACL Scanner in Windows 10 or Windows Server Technical Preview 2 you would always get mismatch during comparing. Problem fixed with if statement on System.Enum in PowerShell 5.

Version 2.2.1

6 July, 2015

New Features
  • Number of excluded objects reported in Log.

Fixed issues
  • Broken scan! Everything are excluded when searching Onelevel or Subtree.

Version 2.2.0

4 July, 2015

New Features
  • Refresh Nodes by right-click container object.
  • Exclude of objects from report by matching string to distinguishedName

Version 2.1.2

2 July, 2015

Fixed issues
  • Every scan required SeSecurityPrivilege (Manage auditing and security log) due to modifications of the SecurityMasks. Now this is done only once you explicitly scan SACL's.

Version 2.1.1

12 June, 2015

Fixed issues
  • If you ran AD ACL Scanner in Windows 10 or Windows Server Technical Preview 2 you would get an error. Problem fixed with if statement on System.Enum in PowerShell 5.

Version 2.1.0

21 May, 2015

New Features
  • Changed format on CSV output file. New format according to regular CSV type.
  • Removed dependency on Active Directory PowerShell module for reporting on SACL's.
  • Rename html report headers, Rights are called Access and if SACL's is used it's called Audit.
  • HTLM reports contain headers
  • Summary of criticality for all report types
  • Support statement included

Fixed issues
  • Owner permissions are changed to the more accurate :Read permissions, Modify permissions.
  • Error when running PS 2.0 "ProgressBarWindow".
  • Correct name of SPN report file.
  • Criticality coloring of "Info"-level fixed.
  • Added error control for enumerating objects.

Version 2.0.3

29 October, 2014

Fixed issues
  • PS 2.0 "Where-Object : Cannot bind argument to 'FilterScript' because it is null":5369.

Version 2.0.2

28 October, 2014

New Features
  • Scan for SACL's
  • Option to skip Splash through new parameter "No

Reviews for this release

No reviews yet for this release. (Previous release: 5 stars out of five with 1 rating and 1 review)