AD Permissions Reporter

ADPermissionsReporterBanners

This feature is included in NetTools v1.30.8 beta

The AD Permissions Reporter option makes it easy to report on what permissions that have been assigned to objects in the Active Directory forest.  It can be used to discover who has been assigned delegation permissions, with over 30 predefined reports for commonly assigned delegation rights.  It can also be used to audit or track down if specific permissions have been assigned in the Active Directory environment.

AD Permissions Reporter includes the following features:

  • Fast - Uses low level API and local caching for increased performance
  • Easy of use - includes pre-defined filters for commonly delegated permissions
  • Powerful - Provides the capability to search for any attribute in the Security Descriptor
  • Configurable - Create custom reports using the basic or advanced filter wizards
  • Comprehensive - Tree and table report views
AD Permissions Reporter - Tree view
AD Permissions Reporter - Report View

Report Filters

The AD Permissions Reporter uses filters to determine which objects will be included in the generated report.  There are a number of predefined filters which covers some of the common delegated permissions.  There is also the option to create your own filters, there are three methods available to create a new filters.  The Basic Filter provides a basic set of options which covers the most common reporting options.  The second option is the Advanced Filter, which provides the ability to create more complex filters, that can include multiple rules, with more flexibility in which objects to include in the search and specify more elements in the security descriptor.  The third option allows filters to be created in the AD Permissions Browser, when browsing the AD permissions, you can use the context menu option 'Create Permissions Filter' to create a filter based on the selected permission that is already assigned to an object.

Filter Selection

To select a filter, click on the Select button which will display the Select Filter dialog, in this dialog you are able to select an existing filter, create a new, edit or delete existing filter, and export or import filters.

Select Filter

There are two views available in the AD Permissions Reporter, Tree View and Report View.  The Tree View will display the list of objects that match the filter.  When an item is selected in the Tree View, the permissions of the object are displayed, depending on the Only display matching ACEs, if selected then only the items that match the filter will be displayed.  When unselected all ACEs for the object will be displayed, for ACE that don't match the filter these ACEs will be displayed with a grayed icon while matching ACE will have the normal icon, as shown below.

AD Permissions Reporter - Grayed Items

The Tree View has a number of extra context menus items that provide extra functionality, the tree view has the following items

Context Menu - Tree View

AD Permissions Browser - Opens the selected items in the AD Permissions Browser

Permissions Filter Debug - this option is also available in the context menu for the permissions list.  This option will open the filter debug dialog, this shows the debug information of the matching logic against the selected ACE to help debug a filter.  This option is also available in the AD Permissions Browser context menu. See Permissions Filter Debug.

Permissions Filter Debug

The Report View displays all the matching ACEs as a single list.  During the development of a filter, its possible that a large number of ACEs to match the filter, as the number of results increases, this can slow down the report view update, for this reason the Display ACE in Report view option, allows you to suspend the Report View update.  The status bar will show the total of ACE that have matched the filter.

There are a number of context menu options that are available in the Report View that provide additional features.

Context Menu - AD Permissions Reporter

AD Permissions Browser - the selected item will be opened in the AD Permissions Browser view

List Users - This option takes the list of trustees in the report view and uses the Group Members options to display all the members of the groups, to provide a full list of users that have the permissions included in the filter.

Display in Tree View - this will display the selected ACE in the tree view.

Below are the screenshot of the basic and advanced filter creation dialogs.

Permissions Filter - Basic
Permissions Filter - Advanced