Active Directory Permissions Reporter

August 1, 2013 — 9 Comments

As you’ve probably guessed from the title, the next tool I’m going to be releasing is a permissions reporting tool for Active Directory. It will be similar in concept to my NTFS Permissions Reporter tool, but obviously instead of reporting on file system permissions it will report on permissions assigned to objects in AD (e.g who can modify which properties of which user accounts, OUs, etc etc).

As always I’m aiming to make this tool as easy to use and intuitive as possible, whilst also providing enough features and flexibility to make it really useful for more advanced scenarios. So you’ll be able to just see a simple summary of who has access to which OUs etc, but you’ll also be able to perform more advanced queries that find specific permissions (all the way down to reading/writing specific LDAP attributes) or for example find all objects that are not inheriting permissions from their parent OU. There will also be a command line version included to allow the creation of automated tasks that produce AD permissions reports and export them to file or email them to you.

EDIT: If you’re interested in this tool, if you could also check out this new post asking for feedback on which features you’d like to see in the first release that would be great.

I don’t have any screenshots yet as I’ve been focusing on the core functionality and not done much work on the GUI yet, but I’ll post another entry on this blog as soon as I do have some BETA screenshots and a release date. As with all of my other tools there will be a free edition which will be completely free for personal or commercial use, and a standard edition which will be paid for (prices TBA along with the release date) and will include extra features such as the command line module mentioned above.

Thanks

Chris

9 responses to Active Directory Permissions Reporter

  1. 

    Another great tool, thanks!

  2. 

    sounds nice, can’t wait to try it.

  3. 

    Yes Chris, go 4 it.
    That’s exactly the Tool we need for Reporting!

  4. 

    Thanks for the positive comments guys – if there are any particular features you’d like to see that I haven’t already mentioned, please let me know so I can try and get them in there.

  5. 

    I’m writing an app and would like to mark certain fields as read only based on their permissions, for example: If the user running the app only has Read permissions on the ‘displayName’ property. Would you mind pointing me in the right direction on how to access the ACL info on AD user objects in VB.Net?

    PS. I really like your applications, they are what inspired me to write some of my own.

    • 

      Nice to hear that 🙂 As for getting the ACL of an AD user, you can use the GetAccessRules method: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directoryobjectsecurity.getaccessrules(v=vs.100).aspx
      (cast each object in the collection returned to an ActiveDirectoryAccessRule). Once you’ve got each ActiveDirectoryAccessRule there’s still quite a lot of work to do as you’ve got to figure out if each rule relates to your user, if the rule affects the displayName property (as schema attribute GUIDs are used instead of LDAP names), and if the user is a member of any groups that also allow or deny permission to modify that user (including nested group membership).

      You might find you’re better off just letting the user edit it and if they try to actually save it back to AD they’ll get an Access Denied error.

      • 

        Thanks, I’ll take a look into this tomorrow. The nested group membership is an issue I’m trying to deal with also. The GetAuthorizationGroups method doesn’t always work.
        Maybe you have some pointers on that too, I really don’t want to recurse into every group looking for memberships.

        Thanks again!

        • 

          Recursively going through all group membership isn’t that hard (although when you take membership of Universal groups in other domains in the same forest into account it gets more complicated as you’ve got to query a Global Catalog server to get that). Or did you mean you don’t want the performance hit of looping through all the nested groups?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s