Active Directory Security, Permission and ACL Analysis

AD ACL Scanner is a PowerShell script. Once executed, it will display a graphical interface. The utility will create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory.


  • A tool completly written in PowerShell.
  • A tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory .

New Features

  • Option to show objectClass of objects reported.
  • Option to skip ACE’s for “Protect object from accidental deletion”.
  • Error control on .Net Framework CLRVersion.



It has the following features:

  • View HTML reports of DACLs/SACLs and save it to disk.
  • Export DACLs/SACLs on Active Directory objects in a CSV format.
  • Connect and browse you default domain, schema , configuration or a naming context defined by distinguishedname.
  • Browse naming context by clicking you way around, either by OU’s or all types of objects.
  • Report only explicitly assigned DACLs/SACLs.
  • Report on OUs , OUs and Container Objects or all object types.
  • Filter DACLs/SACLs for a specific access type.. Where does “Deny” permission exists?
  • Filter DACLs/SACLs for a specific identity. Where does “Domain\Client Admins” have explicit access? Or use wildcards like “jdoe“.
  • Filter DACLs/SACLs for permission on specific object. Where are permissions set on computer objects?
  • Skip default permissions (defaultSecurityDescriptor) in report. Makes it easier to find custom permissions.
  • Report owner of object.
  • Compare previous results with the current configuration and see the differences by color scheme (Green=matching permissions, Yellow= new permissions, Red= missing permissions).
  • Report when permissions were modified
  • Can use AD replication metadata when comparing.
  • Can convert a previously created CSV file to a HTML report.
  • Effective rights, select a security principal and match it agains the permissions in AD.
  • Color coded permissions based on criticality when using effective rights scan.
  • List you domains and select one from the list.
  • Get the size of the security descriptor (bytes).
  • Rerporting on disabled inheritance .
  • Get all inherited permissions in report.
  • HTLM reports contain headers.
  • Summary of criticality for all report types.
  • Refresh Nodes by right-click container object.
  • Exclude of objects from report by matching string to distinguishedName
  • You can take a CSV file from one domain and use it for another. With replacing the old DN with the current domains you can resuse reports between domains. You can also replace the (Short domain name)Netbios name security principals.
  • Reporting on modified default security descriptors in Schema.
  • Verifying the format of the CSV files used in convert and compare functions.
  • When compairing with CSV file Nodes missing in AD will be reported as “Node does not exist in AD”
  • The progress bar can be disabled to gain speed in creating reports.
  • If the fist node in the CSV file used for compairing can’t be connected the scan will stop.

System requirements:

  • Powershell 2.0 or above
  • PowerShell using a single-threaded apartment
  • Somefunctions requires Microsoft .NET Framework version 4.0



Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.

Liza Tool Screenshot

I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.

Security Descriptor Display

In the left panel of the Liza window, you see the container hierarchy for the connected Active Directory namespace. In the right panel of the Liza window, you see the content of the Security Descriptor for the currently selected directory container. This information is stored with the regarding objects in the LDAP attribute nTSecurityDescriptor.

An Active Directory security descriptor contains three important information:

  • The Discretionary Access Control List (DACL): Here are the trustees which have permissions on the regarding object.
  • The System Access Control List (SACL): These are the audit settings for the regarding object.
  • The Owner/Owner Group of the regarding object (the object’s creator becomes the owner and
    can always access the ACLs.

You need to be the owner or you need to have RC (Read Control) permissions to access the DACL and Owner information.
You need to have the Manage auditing and security logs privilege on domain controllers to access the SACL information.

There are several columns in the access control lists:

ACE display explanations

In the ACLs, you see a list of Access Control Entries (ACE). Liza displays a summary of each ACE per line – nevertheless, you can display each ACE in detail if you use the Show ACE button.

Detailed ACE display window

Trustee Analysis

Liza can analyze trustee permissions for selected trustees. You just have to select one trustee (for example a user or a group). Then Liza detects the groups in which the selected trustee is member in (even for nested group memberships), after that Liza scans all the directory containers to find permissions which are granted or denied to that trustees (or to it’s groups).

Follow these steps to analyze the permissions for a certain trustee:


Step 1 Use the Select trustee for ACL analysis button at the bottom of the Liza window to switch to browse mode. In browse mode, you see all the directory objects in the connected hierarchy which have SID attributes (Security Identifier). Only objects with SIDs can be security principals which are suitable for permission analysis.

The button for the permission analysis

Step 2 You can select now the security principal that you want to check for permissions in the directory. It could be a single user, or a group, or a machine account for example. In the bottom area of the Liza window, you see the currently selected object. If the Include group membership checkbox is activated, there are also the groups in the list where the object is member of, including the nested memberships.

Selecting the trustee to be analysed

Step 3 You can also enter an object’s name directly: Just click with the mouse on the trustee list at the bottom of the window and enter the name of the regarding object. Liza can detect the object automatically during the name input:

Entering the trustee to be analysed directly

Step 4 If you want to go back to normal Permission Display without trustee analysis, just click on the trustee list at the window bottom and press the DELETE key. The list is cleared then, and you can use the Analyze ACLs button to get back to the inital mode with permission display.

To start the analysis, there have to be a trustee name and maybe it’s group memberships displayed in the list at the window bottom. The button label is changed to Analyze ACLs for the Selected Trustee. To start an analysis, you have to use this button now. Attention: If you ativated the Show leaf objects in the selected container command button, the analysis can take a long time to complete, because every single object in the directory has to be examined. In this case a regarding message box is shown:

Starting the trustee analysis

Step 5 To start the analysis, you have to use the Analyze ACLs button now. During the hierarchy analysis, the application is disabled, just wait for the progress bar to be completed. However, you can stop the analysis run any tim by using the Abort ACL analysis button.

Progress bar display during permission analysis

Step 5 When Liza shows you the analysis result, you see all the containers and ACE where the regarding object (and it’s groups) are directly affected in bold red. If you activated the Show leaf objects in the selected container command button, even the single objects are examined for the regarding trustee permissions.

If the permission entry for the container is inherited and not directly set, you only see the display in red (without bold font):

The analysis result

Blocked Inheritance Analysis
LIZA can search the entire directory for objects which have a blocked permission inheritance. Blocked inheritance leads to delegation problems in many cases, because delegated rights doesn’t apply to such objects unless they are explicitly set directly on the object.

For all objects which are affected by the AdminSDHolder mechanism, the permission inheritance is deactivated (because they are member of a high privileged group, for example). Most often it is quite difficult to detect such objects, because the inheritance block remains on the object even if they are not member of a regarding group any more.

LIZA can search such objects, just use the Search blocked inheritance button at the screen bottom on the right. The analysis can last a bit, because LIZA has to evaluate the Security Descriptors of each object in the current directory, and this can be a lot of data. The result is shown in the treeview panel on the left side. All objects with blocked inheritance are marked bold red:

Liza Tool Screenshot


Open object in LEX – The LDAP Explorer

If you have an installed version of LEX – The LDAP Explorer on th same machine (minimum LEX v 1.5.000), you can use the LIZA application to open directory objects directly in LEX. This feature enables you for example to change permissions in LEX – LIZA is finally ‘just’ a read-only tool which can display permissions but not change it.

If you want to handle an object with LEX, just use the option Open in LEX from the context menu in the treeview panel:
Liza Tool Screenshot



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: