AD Permissions Reporter – Basic Filter

The Basic Filter is the default filter that is displayed when a new filter is created, While this is the basic filter it does cover most of the common search criteria. The Advanced Filter provides more flexibility with more options, see the Advanced Filters. This pages covers the options that are available on the Basic Filter.

These are the limitation of the Basic Filter:

  • Only the Discretionary Security Access Control (DACL) in the security descriptor can be search
  • All the options in the search criteria must match for an ACE to match the search criteria
  • Only one set of criteria or rule can be defined

The screenshot below shows the mappings between the options in the Basic Filter and the details in the AD Permissions Browser and the Permissions dialog.

Basic Filter - Mappings


  1. Defines which Security Descriptors will be included in the search. This defines if inherited or Blocked inheritance ACEs will be included in the search, one or both of these options must be selected
  2. Defines which ACE access types will be included in the search criteria, at least one of these must be selected
  3. Controls if the inherited permissions are also included in the search criteria
  4. Select the name of the trustee to search for, or if the name is unknown.  If the Include Group Membership is selected then any groups that the trustee is a member of will be returned in the search
  5. Defines the permissions that will be returned in the search
  6. Defines if permission inherited by specific objects are returned

Basic Filter Fields

Filter Name -  defines the name of the filter.  When editing a filter, if the name is changed, the details are saved to a new name, the filter with the previous name is retained unchanged.

Object Scope -  use this option to limit which AD objects will be included in the search.  By default all AD objects will be included in the search

Objects that inherit from their parent - Objects that have inheritance enabled will be included in the search

Objects that block inheritance from their parent - Only security descriptors that have block inheritance will be included in the search.

Access Type - Limits which ACEs will be included in the search, either ACEs that allow or deny access.  If both are selected then all access types are included, including non Allow and Deny ACE types.  See ACE Types

Include Inherited Permissions - defines if permissions that have been inherited in the ACL are also included in the search.  If not selected only directly assigned permissions are included in the search.

Unknown or unresolved names - Returned any ACE that have trustee that can't been resolved to a name, these appear as SIDs in the permissions dialog with the question mark icon.

Trustee -  the name of the trustee that you want to search for, this can be any security object that has the objectsid attribute set, i.e. user, group, computer, etc.  The Search button displays the search dialog, allowing you to search for a trustee in the AD. If the trustee is set and the Search button is pressed, it will search using the entered name, if the name is valid the search dialog will not be shown.

Include Group Membership - with this option selected any of the trustee's group membership, including nested, will be included in the search.

Permissions - This button will display the Permissions dialog which allows you to specify what permissions or inherited object to search for.  See AD Permissions Reporter - Permissions

Advanced Filter - This will change the filter from Basic to Advanced.  If the filter is saved in the Advanced Filter view, then from that point forward it will be opened in the Advanced Ffilter.


Related Topics

AD Permissions Reporter

Advanced Filter Constants

Advanced Filters