skip to Main Content

Export AD ACL permissions with PowerShell

An Active Directory ACL permissions report is excellent to look at when you need to tighten an account for security. In addition, such a report can work fantastic when you want to compare AD ACL permissions between accounts. This article will show how to export AD ACL permissions to CSV and HTML with PowerShell.

Introduction

Do the user accounts in the organization have the correct AD permissions? For security reasons, it’s good to check and:

  • Gain control over who has access to what
  • Lock down excessive permissions
  • Minimize the risk of a breach
  • Ensure compliance

The ADACLScan.ps1 PowerShell script is a tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory. The script is entirely written in PowerShell.

The PowerShell script got a lot of features, which is great. However, the features that we like to use is:

  • Export AD ACL permissions to CSV
  • Export AD ACL permissions to HTML

Let’s get the AD ACL permissions from two service accounts. The service accounts are svc-adds and svc-adds1.

AD service accounts

Prepare ADACLScan PowerShell script

Create two folders on the C:\ drive:

  • Temp
  • Scripts

Download the ADACLScan.ps1 PowerShell script (direct) or (GitHub). Place it in C:\scripts folder. We will export and save the ACL permissions to the C:\temp folder.

ADALScan.ps1 PowerShell script

Run ADACLScan PowerShell script

Run PowerShell as administrator. Next, change the path to the scripts folder. After that, run the script ADACLScan.ps1.

PS C:\> cd c:\scripts\
PS C:\scripts> .\ADACLScan.ps1

The AD ACL Scanner window will show up.

AD ACL Scanner main window

In the AD ACL Scanner window, click on All Objects > Connect.

Export AD ACL permissions with PowerShell connect

In the next steps, we will look at how to export AD ACL permissions.

Export AD ACL permissions with PowerShell

You can export the AD ACL permissions with PowerShell script to:

  • HTML
  • CSV file
  • Excel file

Export AD ACL permissions to CSV file

Navigate to the user account. Click CSV file and fill in the CSV file destination C:\temp. Click Run Scan.

In our example, it’s the user account svc-adds.

Export AD ACL permissions with PowerShell CSV file

Let’s do another AD ACL export to CSV file, but this time from svc-adds1 user account.

Export AD ACL permissions with PowerShell CSV file

There will be two CSV files in the C:\temp folder.

Export AD ACL permissions with PowerShell temp folder

Export AD ACL permissions to HTML file

Navigate to the user account. Click HTML. Click Run Scan.

Export AD ACL permissions with PowerShell HTML

Click Export.

Export AD ACL permissions with PowerShell export ACL report

Fill in the file and path name, C:\temp\accountname.htm. Click OK.

HTML filename and path

There will be two HTML files in the C:\temp folder, apart from the CSV files.

Export AD ACL permissions with PowerShell temp folder

Open the ACL report HTML file (svc-adds).

Export AD ACL permissions with PowerShell ACL report HTML file

Let’s open the second ACL report HTML file (svc-adds1).

Export AD ACL permissions with PowerShell ACL report HTML file

That’s it!

Read more: Create AD DS Connector account »

Conclusion

You learned how to export AD ACL permissions to CSV file with PowerShell. The ADACLScan.ps1 PowerShell script is what you need to export ACL permissions. It’s a great script that works like it’s intended to do.

Did you enjoy this article? You may also like KRBTGT account password reset. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published.