AD ACL Scanner

If you're working with Active Directory and need a straightforward way to analyze and report on permissions, AD ACL Scanner is a tool you should definitely check out. It's built entirely in PowerShell, which makes it lightweight and easy to run without any complicated installation. The tool specializes in generating detailed reports for both discretionary (DACLs) and system (SACLs) access control lists, and it's especially handy for quickly comparing ACLs using replication metadata like USN numbers.

Getting started is a breeze. Just run the script, and a graphical interface pops up no setup required. You can immediately begin exploring permissions through an intuitive layout. One of the standout features is its flexibility: you can view HTML reports of DACLs and SACLs, save them locally, and even filter results to show only explicitly assigned permissions. For example, you might want to check where "Deny" permissions exist, or track down all the places where a specific group like "DomainClient Admins" has access. Wildcard support means you can search broadly or narrow things down to individual users.

Beyond basic reporting, AD ACL Scanner lets you focus on particular object types like OUs, containers, or computer objects and skip default permissions to avoid clutter. It connects seamlessly to your default domain or other naming contexts, and you can export findings to CSV for further analysis. Plus, if you’ve saved previous reports, the tool can compare them with the current setup and highlight differences with a color coded system. It even tracks when permissions were last modified, which is super useful for auditing changes over time.

A quick tip before you dive in: make sure PowerShell script execution is enabled on your machine. You can do this temporarily with the Set ExecutionPolicy Unrestricted command, but remember to switch back to a more secure setting once you’re done. This helps keep your system protected while you take full advantage of what AD ACL Scanner has to offer.