Active Directory security best practices specify that permissions should be inherited via Active Directory group membership rather than assigned explicitly. However, ensuring that this principle is followed can be a challenge. IT administrators need to regularly review Active Directory user permission reports that define how permissions were granted so that they can remove any that were assigned explicitly. Along with this, they need to work with data owners to remove users from groups that grant them unnecessary permissions.
Reviewing permissions regularly minimizes the risk of privilege abuse which then mitigates the occurrence of data breaches. However, the native way to create user permission reports is by using PowerShell, and creating reports in this way together with reviewing the output is a complex and time-consuming process.
In this article, the steps to get an Active Directory User Permissions Report using PowerShell are explained. However, running PowerShell does have several drawbacks, we will look at a solution to this using Lepide Auditor. The Lepide Auditor provides an easier, more straightforward way to create an Active Directory User Permissions Report, and this is explained at the end of this article.
Using PowerShell
Open the Powershell ISE → Create a new script with the following code, specifying the username and path for the export → Run the script.
Import-Module ActiveDirectory
Get-ADUser -Identity 'User Name' |
%{(Get-ACL "AD:$($_.distinguishedname)").access} |
Export-Csv -Path C:\data\AdUser_Permissions_Report.csv -NoTypeInformation
#Specify path as required a location to export as csv format.
Start Microsoft Excel and open the file produced by the script.
How Lepide can Help
Lepide Auditor for Active Directory overcomes the difficulty of PowerShell scripting by providing a comprehensive report which lists all the groups that a user has access to with the User’s Group Membership Report. The Permissions by Object report can then be used to show how those permissions were derived. Examples of these reports are shown below:
In the above example, the report has been grouped by User and we can see all the groups that the user belongs to. We can see that one of the Groups that the user Adam belongs to is the Doctors group.
The User’s Group Membership Report is straightforward to run using the following steps:
- From the States and Behavior screen, expand Active Directory Reports, User Reports and then choose the User’s Group Membership Report
- Click Generate Report
- Drag the User Name column heading to the grouping area to group by user
We can then use the Permissions by Object report to see how the permissions for the Doctors group were derived.
The Permissions by Object Report can be used to see how those group permissions were derived:
The Permissions by Object Report is straightforward to run using the following steps:
- From the Permission and Privileges screen, choose Permissions by Object
- Select a File Server and click Generate Report
- Expand the tree structure on the left-hand side to see the relevant object