ADPermissionsAnalyzer¶
Comprehensive DACL ACE inventory across all AD naming contexts for least-privilege analysis.
Commands¶
| Script | Description |
|---|---|
| ADPermissionsAnalyzer.build | Build script for ADPermissionsAnalyzer. Run with: Invoke-Build [Task] [-Configuration <Debug |
| Install-GitHooks | Installs a Git pre-push hook that runs Invoke-Build Build before each push. |
| Invoke-ADPermissionAnalysis | Produces a comprehensive inventory of every DACL ACE on every object in a single |
| Active Directory domain, across all naming contexts, for least-privilege analysis. | |
| Phase1-DiscoveryAndMaps | Phase 1 helpers for AD Permissions Analyzer: LDAP bind, naming-context discovery, |
| and GUID/SID map construction. | |
| Phase2-Enumeration | Phase 2 helper for AD Permissions Analyzer: paged enumeration of every |
| object in a naming context together with its raw nTSecurityDescriptor. | |
| Phase3-AceParsing | Phase 3 helpers for AD Permissions Analyzer: nTSecurityDescriptor parsing, |
| ACE record decoding, and the runspace-pool dispatcher. | |
| Phase4-TrusteeResolution | Phase 4 helpers for AD Permissions Analyzer: trustee SID resolution, |
| transitive group expansion, and the well-known-SID skip set. | |
| Phase5-InheritanceSource | Phase 5 helpers for AD Permissions Analyzer: streaming composite-key |
| index over explicit ACEs + inheritance source resolution rewriter | |
| with DACL_PROTECTED short-circuit. | |
| Phase6-Output | Phase 6 helpers for AD Permissions Analyzer: streaming detail CSV writer |
| plus the (ACE x effective-trustee) join, RFC-4180 field escaper, the | |
| incremental pivot accumulator, and the pivot CSV writer. |