canix1 / adaclscanner Goto Github PK

View Code? Open in Web Editor NEW

945.0 54.0 159.0 2.68 MB

Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory

License: Microsoft Public License

PowerShell 100.00%

adaclscanner's Introduction

AD ACL Scanner

Current version

Version: 7.9

12 September, 2023

SHA256: 66394A80A432C978A64D6A490D5C155AECDAAC53BAE5024B00BC5517F445B537

New Features

Show security descriptor in SDDL format

7.0 Features

Filter on permissions like "GenericAll" or multiple values like "WriteProperty | ExtendedRight"

From the CLI you can select Target and select RiskyTemplates to scan published certificate templates with "supply in request".
The default output from CLI is structured and translated
The default csv file output option is structured and translated and cannot be used for comparing.
New output option for comparing that is called CSVTEMPLATE from CLI and "CSV Template" in GUI.
Old CLI output format is produced by using the -RAW switch

Download

Release

Donate

Do you appreciate my work and want to buy me a beer? You can donate via PayPal: https://www.paypal.me/canix1 or send Bitcoins to bc1qte7vlwhvrju7msv9hzfytwy7jd9vlmnjfpm0366d62yx4ke89czsavk0hr

Description

A tool completly written in PowerShell.
A tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory .

History

Features and fixes https://github.com/canix1/ADACLScanner/wiki/History

Features

Run effective rights report from the command line.
parameter from command line to get modified date of security descriptor in report.
Save to excel file without excel installed. Both from UI and command line. Requires ImportExcel PowerShell Module. You can install ImportExcel directly from the Powershell Gallery.
Command line support.
Custom search filter for scanning objects.
Support input from pipeline. You can call ADACLScan.ps1 by sending a distinguishedName via pipeline.
Added formated synopsis to the script.

Feature list

Scan linked Group Policy Objects
View HTML reports of DACLs/SACLs and save it to disk.
Export DACLs/SACLs on Active Directory objects in a CSV format.
Export DACLs/SACLs on Active Directory objects in a Excel sheet.
Connect and browse you default domain, schema , configuration or a naming context defined by distinguishedname.
Browse naming context by clicking you way around, either by OU�s or all types of objects.
Report only explicitly assigned DACLs/SACLs.
Report on OUs , OUs and Container Objects or all object types.
Filter DACLs/SACLs for a specific access type.. Where does �Deny� permission exists?
Filter DACLs/SACLs for a specific identity. Where does "Domain\Client Admins" have explicit access? Or use wildcards like "jdoe".
Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects?
Skip default permissions (defaultSecurityDescriptor) in report. Makes it easier to find custom permissions.
Report owner of object.
Compare previous results with the current configuration and see the differences by color scheme (Green=matching permissions, Yellow= new permissions, Red= missing permissions).
Report when permissions were modified
Can use AD replication metadata when comparing.
Can convert a previously created CSV file to a HTML report.
Effective rights, select a security principal and match it agains the permissions in AD.
Color coded permissions based on criticality when using effective rights scan.
List you domains and select one from the list.
Get the size of the security descriptor (bytes).
Rerporting on disabled inheritance .
Get all inherited permissions in report.
HTLM reports contain headers.
Summary of criticality for all report types.
Refresh Nodes by right-click container object.
Exclude of objects from report by matching string to distinguishedName
You can take a CSV file from one domain and use it for another. With replacing the old DN with the current domains you can resuse reports between domains. You can also replace the (Short domain name)Netbios name security principals.
Reporting on modified default security descriptors in Schema.
Verifying the format of the CSV files used in convert and compare functions.
When compairing with CSV file Nodes missing in AD will be reported as "Node does not exist in AD"
The progress bar can be disabled to gain speed in creating reports.
If the fist node in the CSV file used for compairing can't be connected the scan will stop.
Display group members in groups in the HTLM report.
Present the value of the true SDDL in NTsecurityDescriptor, bypassing Object-Specific ACE merge done when a new instance of the ObjectSecurity class is initialized.

System requirements

Powershell 3.0 or above
PowerShell using a single-threaded apartment
Some functions requires Microsoft .NET Framework version 4.0

adaclscanner's People

Contributors

Stargazers

Watchers

Forkers

vysecurity siowcy skettler minkione kurtdegreeff maybemyself theralfbrown martinweberswitzerland johnjohnsp1 av1080p loveh4ck pinak9 bounty2017test kmcgill r0ug3 jbarcia amarcovich feng257 vgg-dev golubenkoff shantanu561993 seemantbisht error0x01 opt9 xploitcccsc mrbodean edisco sathishdsgithub pk2311 hittimes alextsec dipsec architbahuguna jock312452 binlmmhc sry309 modulexcite sasqwatch stevecharon rahmiy rootlo0p therealwaring imulmul cyb3r5t4lk3r hiw0rld lazerhawk henriweb aynyuh r0cknrolla subi3wr3x lukowiczm exitus01 digitalarche dskho widedata nejibnbm blue-infosec jcoffi an4kein 5l1v3r1 topotam 1uffyd9 balamurnan imendax die-drei-von-der-tanke a-min3 lazyf0x00 leomatias scott1138 vertskater newbeeone conditionblack hartl3y94 n4n4n-54n nosorry crimsonlabs-io rezaduty gdraperi ivanpetrov0 naveenvenugopal moddingg33k dubeyjiit rohanrob iltoncarlos raystyle hi-pwnstar lorenaman slooppe gh0st0ne digifors jez-github offt3ch saimen-ti manantsoar i85yl64 zizoutn nerdeua lleon1435 gl4ssesbo1 ra2003

adaclscanner's Issues

Effective permissions via command line

Is there a way to invoke the Effective Permissions functionality from the command line? So far, I have only gotten aggregate reports.

feature suggestion: scan for various types of specific known badness

This looks like an awesome tool, but in among its options, should be the ability to search for specific lists of known exploits, backdoors, & nondefault configurations. While the tools does appear to be intended for finding just those things, it appears from the doc page (and I have to admit I haven't actually tried it out yet) that the reports it typically generates are likely to have much of this buried in reams and reams of other data. Another possibility might be to assign each flagged entry a 'badness' value from 1-10, so that the report might be sorted with the most interesting data at the top. I admit I've been looking for something like this ever since I watched Harmj0y's 'An ACE in the Hole: Stealthy Host Persistence via Security Descriptors' presentation at Derbycon in 2017.

Help pls

Good Day!

please help me, tell me how I can make a report what rights a certain group has in the domain, while leaving only those OUs where the rights are assigned, and not displaying those where the rights are inheritedю Example:
This with Inherited - false save in the report

and this with Inherited - True remove from report

I will be glad for any help

View Inherited Permissions from Powershell command line

Hi,
I cannot figure out a way to show the inherited permissions when using effective rights from Powershell. I can see it when I run the GUI and select the user principle I want to view.

Inheritance Disabled - not included in CSV

CSV output does not include "Inheritance Disabled" column, unlike HTML report.

Get-Perm -Access(Type)

Hello,

line 15776, in Get-Perm function, argument's name "Access" is not correct.
It must be replaced by AccessType

Duplicate ACE return by Get-ACL

Hello,
In the template CSV, I found several ACE with the same information. For example for adminsdholder : BUILTIN\Pre-Windows 2000 Compatible Access has the same permission (Generic Read - All)

I get the same information with get-ACL.
Any idea why many ACE are duplicated with Get-ACL (and in the templates too, but I suppose is is related to Get-ACL output command used to generate your templates).

Thanks

Doubled/Reduntant code

The code below is doubled.

if ($chkBoxEffectiveRightsColor.IsChecked -eq $false) {
            Switch ($objRights) {
                "Self" {
                    #Self right are never express in gui it's a validated write ( 0x00000008 ACTRL_DS_SELF)

                    $objRights = ""
                }
                "DeleteChild, DeleteTree, Delete" {
                    $objRights = "DeleteChild, DeleteTree, Delete"

                }
                "GenericRead" {
                    $objRights = "Read Permissions,List Contents,Read All Properties,List"
                }
                "CreateChild" {
                    $objRights = "Create"
                }
                "DeleteChild" {
                    $objRights = "Delete"
                }
                "GenericAll" {
                    $objRights = "Full Control"
                }
                "CreateChild, DeleteChild" {
                    $objRights = "Create/Delete"
                }
                "ReadProperty" {
                    Switch ($objInheritanceType) {
                        "None" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch



                        }
                        "Children" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch
                        }
                        "Descendents" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch
                        }
                        default
                        { $objRights = "Read All Properties"	}
                    }#End switch


                }
                "ReadProperty, WriteProperty" {
                    $objRights = "Read All Properties;Write All Properties"
                }
                "WriteProperty" {
                    Switch ($objInheritanceType) {
                        "None" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default
                                { $objRights = "Write All Properties"	}
                            }#End switch



                        }
                        "Children" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default
                                { $objRights = "Write All Properties"	}
                            }#End switch
                        }
                        "Descendents" {

                        	 		Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default
                                { $objRights = "Write All Properties"	}
                            }#End switch
                        }
                        default
                        { $objRights = "Write All Properties"	}
                    }#End switch
                }
            }# End Switch
        } else {

            Switch ($objRights) {
                "Self" {
                    #Self right are never express in gui it's a validated write ( 0x00000008 ACTRL_DS_SELF)

                    $objRights = ""
                }
                "GenericRead" {
                    $objRights = "Read Permissions,List Contents,Read All Properties,List"
                }
                "CreateChild" {
                    $objRights = "Create"
                }
                "DeleteChild" {
                    $objRights = "Delete"
                }
                "GenericAll" {
                    $objRights = "Full Control"
                }
                "CreateChild, DeleteChild" {
                    $objRights = "Create/Delete"
                }
                "ReadProperty" {
                    Switch ($objInheritanceType) {
                        "None" {

                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch
                        }
                        "Children" {

                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch
                        }
                        "Descendents" {
                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Read"
                                }

                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Read"
                                }
                                default
                                { $objRights = "Read All Properties"	}
                            }#End switch
                        }
                        default
                        { $objRights = "Read All Properties"	}
                    }#End switch
                }
                "ReadProperty, WriteProperty" {
                    $objRights = "Read All Properties;Write All Properties"
                }
                "WriteProperty" {
                    Switch ($objInheritanceType) {
                        "None" {
                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default {
                                    $objRights = "Write All Properties"
                                }
                            }#End switch
                        }
                        "Children" {
                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default {
                                    $objRights = "Write All Properties"
                                }
                            }#End switch
                        }
                        "Descendents" {
                            Switch ($objFlags) {
                                "ObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                "ObjectAceTypePresent, InheritedObjectAceTypePresent" {
                                    $objRights = "Write"
                                }
                                default {
                                    $objRights = "Write All Properties"
                                }
                            }#End switch
                        }
                        default {
                            $objRights = "Write All Properties"
                        }
                    }#End switch
                }
                default {

                }
            }# End Switch

            $intCriticalityValue = GetCriticality $_.IdentityReference.toString() $_.ActiveDirectoryRights.toString() $_.AccessControlType.toString() $_.ObjectFlags.toString() $_.InheritanceType.toString() $_.ObjectType.toString() $_.InheritedObjectType.toString()

            Switch ($intCriticalityValue) {
                0 { $strLegendText = "Info"; $strLegendColor = $strLegendColorInfo }
                1 { $strLegendText = "Low"; $strLegendColor = $strLegendColorLow }
                2 { $strLegendText = "Medium"; $strLegendColor = $strLegendColorMedium }
                3 { $strLegendText = "Warning"; $strLegendColor = $strLegendColorWarning }
                4 { $strLegendText = "Critical"; $strLegendColor = $strLegendColorCritical }
            }
            $strLegendTextVal = $strLegendText
            if ($intCriticalityValue -gt $global:intShowCriticalityLevel) {
                $global:intShowCriticalityLevel = $intCriticalityValue
            }

        }#End IF else

Between If/Else there's only one difference

        "DeleteChild, DeleteTree, Delete" {
                    $objRights = "DeleteChild, DeleteTree, Delete"

                }

You can probably optimize this.

Simultaneously running instances mess up with each other`s data

When you run two or more instances of the script at the same time, they use the same temporary files, which results in incorrect reporting. My suggestion is to append unique random ID (GUID, for example) for each session file names, so they would be named like this: ACLHTML-116dc1d9-ff8c-4e1b-85fb-284cd9ec2873.hta

Compare CSV export does not show New entries

Running a Compare scan shows the correct results for new and removed ACLs in the HTML output.
When selecting the CSV output, all new entries are shown as "Matched" instead of "New". Removed entries are correctly shown as "Missing".

Sample CSV entry:
"OU=Administration,OU=Groups,OU=XY1,DC=HSLAB2,DC=local","organizationalUnit","HSLAB2\TestUser2","HSLAB2\TestUser2","GenericAll","Descendents","00000000-0000-0000-0000-000000000000","bf967aba-0de6-11d0-a285-00aa003049e2","InheritedObjectAceTypePresent","Allow","False","ContainerInherit","InheritOnly","2019-03-08 12:06:35","7d1dbe1f-0ae1-4e28-9fe0-30409cdf0118","1117506","","Match"

HTML image attached...

Exchange Templates

Hi, I wonder if anyone has templates that include Exchange-related default SDs and would be willing to share them.

New-Guid is not recongnized

Some version of PowerShell does not recongnize New-Guid

Export CSV

Hello,

Actually if you open a csv in Excel, then convert data with default ',' you will have an issue with the OU path containing ','.
I advise to add a delimiter when export-csv.
It is easier when you use a csv in Excel.

export-csv -delimiter ';'

$strScriptName variable is not used

$strScriptName = $($MyInvocation.MyCommand.Name)

That variable is not used anywhere in the script, except for the line above.

Icon missing

Hello,
From the 6.5 version, you remove public class IconExtractor.
I don't know if it's wanted or not but the icons don't show anymore (tested on WS 2016 WS 2019, 10 21H1).

Error when run from clipboard

Hi,

I run a lot of the powershell scripts on remote machines, without copying script files. When I do lines:
--> $CurrentFSPath = split-path -parent $MyInvocation.MyCommand.Path

throw an error. If you change it to
--> $CurrentFSPath = $(Get-Location).path

It will do the same thing, but will not throw errors when working from clipboard

CSV Templates

Hello there,
thanks for thsi great tool.
Unfortunatelly the links for the CSV templates are not reachable.

Regards,
Tom

From GUI to command line

Hi Robin

Thank yor for a very useful tool.

I would like to schedule a weekly run to document all changes made to my AD.
The GUI makes perfect sense, but I'm having trouble translating all the GUI options into command line syntax. How about an option in the GUI, that displays the command line of the options selected in the GUI? Right now it's a bit of trial and error and with a big AD each run takes a long time to finish.

Best regards
Christian

Scan does not return any objects

This error occurs regardless of the filter or scope.:
Log Error: No objects returned! Does your filter reflect the objects you are looking for?

The command line outputs this error:
Cannot bind argument to parameter 'stringList' because it is null

I also noticed that the Effective Rights scan report does not include the permission. Only the groups, is there a more detailed documentation available for using this tool?

running powershell version 2.0.
and .Net 4.5

Is there a windows feature that needs to be enabled other than active directory or group policy?
Or maybe another module that needs to be installed?

Add parameters to match GUI

Hi!

First off, thanks for the awesome tool!

I might be off on this, but it seems like the GUI provides a bit more flexibility in what you collect. It would be helpful to have these available via parameters.

Cheers!

Console errors are registered when a machine cannot connect to LDAP

The following errors are registered when invoking the domain picker, if the machine which cannot connect to LDAP:

Exception calling "SendRequest" with "1" argument(s): "The LDAP server returned an unknown error."
At C:\Users\kf\OneDrive\Scripts\Release\ADACLScanner\ADACLScan.ps1:4775 char:1
+ $response = $LDAPConnection.SendRequest($request)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : LdapException

Exception calling "SendRequest" with "1" argument(s): "The LDAP server is unavailable."
At C:\Users\kf\OneDrive\Scripts\Release\ADACLScanner\ADACLScan.ps1:4787 char:1
+ $response = $LDAPConnection.SendRequest($request)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : LdapException

Legend does not match result - Access Right Criticality option

Write properties should be tagged as "Warning" in yellow as per legend if access right criticality is enabled:

Report has it listed as gray though:

Awesome script though. Love the GUI.

Scan does not return any objects

Add -HideProgressBar

Hello Robin,

Any chance to add a switch -HideProgressBar to speed up the searches via command line?

Thanks

Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)?

I am running ADACLScan.ps1 version 6.8 to uncover AD groups with Critical, Warning & Medium permissions & rights that are not already being reviewed as built-in groups.
The auditors are asking me to justify use of ADACLScan.ps1. They want to know what permissions are identified and why the criticality Level rates them as Critical, Warning & Medium. Why am I excluding Low criticality permissions?
Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)?
If so, I could then refer the auditors to the Microsoft descriptions, such as
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0
Examples of what I am looking for are:
"Create Object"="Warning";
"Read permissions, Modify permissions" {$intCriticalityLevel = 4 }

Reload SSL/TLS Certificate = "1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8" {$intCriticalityLevel = 4}

Web-Information = 2 "E45795B3-9455-11d1-AEBD-0000F80367C1" { # If it SELF then = 1

if($objIdentity -eq "NT AUTHORITY\SELF"){$intCriticalityLevel = 1 else {$intCriticalityLevel = 2}}

Unable to Get Account from child domain under Effective Rights tab

Within the Effective Rights tab I can Get-Account from the same domain, but not from other domains or child domains despite selecting the location properly and seeing that the status above the input box for the user account changes to the NETLOGON name of the domain. Attempting to use domain\ or username@domainfqdn in anny combination fails as well.

Information Collection

Hi,
Can you confirm what information is collected (if any)?

Thanks!

-FilterTrustee does not work with -RecursiveFind

Hello @canix1 , I have stumbled upon this behavior of ADACLScanner 7.3 and I am not sure if it is a bug or expected behavior. It seems that the -FilterTrustee parameter gets evaluated before the -RecursiveFind parameter.

For example, I am trying to look up the permissions to create computer objects. If I run this:

 .\ADACLScan.ps1 -Base 'DC=contoso,DC=com' `
                 -Scope onelevel `
                 -Filter '(|(objectClass=domainDNS)(objectClass=organizationalUnit)(objectClass=container))' `
                 -AccessType Allow `
                 -ApplyTo computer `
                 -Permission create `
                 -RecursiveFind `
                 -Output HTML `
                 -Show

I get the following results, as john is a member of Account Operators:

But if I add the -FilterTrustee parameter:

 .\ADACLScan.ps1 -Base 'DC=contoso,DC=com' `
                 -Scope onelevel `
                 -Filter '(|(objectClass=domainDNS)(objectClass=organizationalUnit)(objectClass=container))' `
                 -AccessType Allow `
                 -ApplyTo computer `
                 -Permission create `
                 -FilterTrustee 'CONTOSO\john' `
                 -RecursiveFind `
                 -Output HTML `
                 -Show

I just get No Permissions found!

Extra hidden characters in code

I just pulled down the new 6.8 version and was comparing to v6.4. Running the script produced quite a few errors too. I noticed the following:
line 1266, 1267, 1271, 15217, 15218, 15222, 15600, 15601, 15602, 15605 - show hidden character
line 3042, 3063, 11846, 11860, 15054 - quotes are showing as funny character
line 14254 - hidden character
Sorry, I can't attach a file to visually show for you

Errors when running

Hello,

When I run .\adaclscan.ps1 I get the errors in the attached file. I've tried running on a 2012 R2 and 2019 Domain Controllers as well as a Windows 10 system, all return the same error.

I'm logged into the computers as an administrator and am running PowerShell as an administrator as well.

Thanks!

Chris

adaclscan-errors.txt

Permissions Delete instead of DeleteChild

Hello,
I found an issue and don't understand why.
If I set an object (ie an user) protected from deletion, the parent object gets ACE Deny with DeleteChild for Everyone.

Get-ACL -path "AD:$object" | select -ExpandProperty Access | ?{ $_.IdentityReference -eq "Everyone" }
ActiveDirectoryRights : DeleteChild
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Deny
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

But, with ADACLScan, I get the permissions Delete instead of DeleteChild:

Object            : xxx
ObjectClass       : organizationalUnit
IdentityReference : S-1-1-0
Trustee           : Everyone
Access            : Deny
Inherited         : False
Apply To          : This Object Only
Permission        : Delete

Typo on line 16139

Hi, there is a typo on line 16139, which is }D instead of just }. Consequence:

D : The term 'D' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\ADControls\ADACLScan.ps1:16139 char:30
+                             }D
+                              ~
    + CategoryInfo          : ObjectNotFound: (D:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

CSV Templates 2000 to 2012 R2 - issue with Identity Reference

Hello,

First of all thanks for your great work, I use it often to detect ACL issue!

The CSVs for Windows 2016 has SID for Identity Reference, it is great because we can compare with non-english Active Directory.

But the olders CSVs (2000 to 2012 R2) used sometimes SID, sometimes english name like 'Everyone', etc. That's lead to bad comparison if the AD is not in english.

Is this possible to update the CSV templates ?

Last thing: in the CSV templates download window, there is a little typo problem : Configration NC instead of Configuration NC.

Question about the values in the State column

Hi Robin

First of all thanks for a very useful tool. I'm using it correlate some findings by another tool.

I gave a question about the values in the state column when running a compare against the default templates for Server 2016 and I'm curious about the meanings of the values that show up,

For example what does Missing mean versus Out of Policy, mean exactly? I need to explain this to customer and I'm not 100% usure.

Any help would be appreciated.

Need to get the Delegated users list from AD

Hi, i need to get the users list who have the delegated rights in AD

Pop-up windows disappear during window switching

When a pop-up window, like the object scanner, or the domain picker, is opened and user switches to another application, that window disappears and the main script window continues to be locked. The pop-up window can be found if the user minimizes all opened windows, but it would be much easier if we could just to Alt-Tab to it.

Option to include CanonicalName

Feature request - an option to include CanonicalName (in addition to or instead of DistinguishedName) to make reports easier to sort.

Does not work outside DC

It looks like this script can only be run on the domain controller, is it possible to run it remotely?

Argument error - script will not execute

PS C:\Users****\Desktop> .\ADACLScan.ps1 -Base "DC=,DC=,DC=*" -Scope subtree -E
sPrincipal ****
Found security principal
Get-Perm : Cannot process argument transformation on parameter 'bolGetOwnerEna'. Cannot convert value "" to
"System.Boolean". Boolean parameters accept only Boolean values and numbers, such as $True, $False, 1 or 0.
At C:\Users*\Desktop\ADACLScan.ps1:14635 char:99

... lSubOU $global:strDomainShortName $false $false $false $Owner $SDDate ...

canix1 / adaclscanner Goto Github PK

adaclscanner's Introduction

AD ACL Scanner

Current version

Download

Donate

Description

History

Features

Feature list

System requirements

adaclscanner's People

Contributors

Stargazers

Watchers

Forkers

adaclscanner's Issues

Reload SSL/TLS Certificate = "1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8" {$intCriticalityLevel = 4}

Web-Information = 2 "E45795B3-9455-11d1-AEBD-0000F80367C1" { # If it SELF then = 1

Recommend Projects

Recommend Topics

Recommend Org