Listen to this Post
Introduction:
Active Directory (AD) is the cornerstone of authentication and authorization in most corporate networks, making it a prime target for attackers. Inadequate permission auditing can lead to privilege escalation paths and catastrophic data breaches. This guide provides a hands-on approach to auditing AD permissions using a powerful free tool and native commands, empowering you to identify and eliminate critical security risks.
Learning Objectives:
- Understand the critical importance of regular Active Directory Access Control List (ACL) auditing.
- Master the use of a free GUI tool for efficient permission analysis and export.
- Learn essential PowerShell and Command Prompt commands for in-depth, scriptable security analysis.
You Should Know:
1. Leveraging the AD ACL GUI Scanner
The tool referenced by Andreas Hartig provides a graphical interface to simplify a complex process. It allows for rapid assessment and the creation of baselines for comparison.
Step-by-step guide:
- Download the tool from the provided URL: `https://lnkd.in/eDbpJP2P`.
- Extract the ZIP file and run the executable on a system with AD RSAT tools installed.
3. Connect to your target domain.
- Navigate the object tree and review the effective permissions on users, groups, and OUs.
- Use the export function to generate a CSV or HTML report for offline analysis and evidence collection.
2. PowerShell: Enumerating Domain Object Permissions
For scripted, large-scale environments, PowerShell is indispensable. The `Get-Acl` cmdlet is your primary tool for interrogating permissions.
Step-by-step guide:
1. Open PowerShell with administrative privileges.
2. Import the Active Directory module: `Import-Module ActiveDirectory`
- Retrieve the ACL of a specific Organizational Unit (OU):
$OU_DN = "OU=Finance,DC=undercode,DC=local" (Get-Acl "AD:\$OU_DN").Access | Format-Table IdentityReference, AccessControlType, ActiveDirectoryRights, IsInherited, InheritanceType -AutoSize
This command lists all permissions (
ActiveDirectoryRights) granted to security principals (IdentityReference) on the specified OU, showing whether they are allowed or denied (AccessControlType) and the inheritance settings.
3. PowerShell: Finding Users with Replication Rights (DCSync)
The DCSync attack mimics domain replication and is a key technique for credential theft. Auditing for this right is critical.
Step-by-step guide:
- This command finds all principals with the replication right on the domain object itself:
$DomainDN = (Get-ADDomain).DistinguishedName $DCSyncACL = (Get-Acl "AD:\$DomainDN").Access | Where-Object { $_.ActiveDirectoryRights -match "GenericAll|DS-Replication-Get-Changes|DS-Replication-Get-Changes-All" } $DCSyncACL | Select-Object IdentityReference, ActiveDirectoryRights | Format-Table -AutoSizeAny unexpected user or group in the output represents a critical privilege escalation risk.
4. Cmd: Using Built-in dsacls.exe for ACL Analysis
The legacy `dsacls.exe` command offers a quick, raw view of permissions from any command prompt.
Step-by-step guide:
1. Open a Command Prompt.
- To view all permissions on the “Finance” OU:
dsacls "OU=Finance,DC=undercode,DC=local"
The output will show all Access Control Entries (ACEs). Look for lines containing `CR;` (Create All Child Objects), `CA;` (Write All Properties), `WP;` (Write Property), `LC;` (List Contents), or `DC;` (Delete Child), especially if granted to non-admin users.
5. PowerShell: Auditing for Sensitive Group Memberships
Membership in highly privileged groups like Enterprise Admins, Schema Admins, and Domain Admins must be rigorously controlled.
Step-by-step guide:
- To get a list of all direct members of the Domain Admins group:
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Get-ADUser -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate | Sort-Object LastLogonDate -Descending
The `-Recursive` flag ensures nested group members are found. Regularly review this list for stale or unauthorized accounts.
6. PowerShell: Exporting All GPO Permissions for Review
Misconfigured Group Policy Object (GPO) permissions can allow attackers to link malicious policies or modify existing ones.
Step-by-step guide:
- This script exports a CSV of all GPOs and their permissions:
$Results = @() Get-GPO -All | ForEach-Object { $GPO = $_ $GPOPath = "AD:\$($GPO.Path.ToLower().replace('cn=policies,cn=system', 'cn=policies,cn=system,dc=undercode,dc=local'))" (Get-Acl $GPOPath).Access | ForEach-Object { $Results += [bash]@{ GPOName = $GPO.DisplayName Principal = $<em>.IdentityReference Permission = $</em>.ActiveDirectoryRights AccessType = $<em>.AccessControlType IsInherited = $</em>.IsInherited } } } $Results | Export-Csv -Path "C:\temp\All_GPOPermissions.csv" -NoTypeInformationAnalyze the CSV for
WriteProperty,WriteDacl, or `WriteOwner` permissions granted to non-admin users.
7. Implementing Continuous Audit with Scheduled Tasks
Manual audits are not enough. Automate the process to run regularly.
Step-by-step guide:
- Save the DCSync audit script from section 3 as
Audit-DCSync.ps1.
2. Create a scheduled task that runs weekly:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Audit-DCSync.ps1" $Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Sunday -At 3am $Principal = New-ScheduledTaskPrincipal -UserID "UNDERCODE\SVC_TaskRunner" -LogonType Password Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -TaskName "Weekly DCSync Audit" -Description "Audits for DCSync permission changes"
This ensures you have a consistent, historical record of who has this dangerous permission.
What Undercode Say:
- Visibility is Paramount. You cannot defend what you cannot see. The vast majority of AD security issues stem from obsolete, inherited, or poorly understood permissions that have accumulated over years. Regular, automated auditing is non-negotiable.
- Automation is the Only Scalable Defense. Manual checks are error-prone and cannot keep pace with modern IT change velocity. The true power of the provided PowerShell commands lies in their ability to be scripted, scheduled, and integrated into a SIEM or SOAR platform for alerting on critical changes.
The analysis provided by Andreas Hartig and the community highlights a persistent gap in enterprise security postures: over-reliance on default configurations and a lack of dedicated ACL hygiene. The enthusiastic response to a free tool underscores the high demand for and critical need of these capabilities. This isn’t just about compliance; it’s about closing the most common attack path toward total domain compromise. Organizations that fail to implement these auditing techniques are effectively operating with a permanent blind spot.
Prediction:
The automation of AD security auditing will rapidly become integrated directly into Identity Threat Detection and Response (ITDR) and Extended Detection and Response (XDR) platforms. Future attacks will increasingly exploit misconfigurations that are invisible without deep, continuous ACL analysis. The organizations that proactively adopt and automate the principles and commands outlined here will be the ones that successfully mitigate the next wave of identity-based attacks, which are predicted to become even more automated and pervasive.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Andreas Hartig – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
