Skip to content

ADPermissionsAnalyzer

Comprehensive DACL ACE inventory across all AD naming contexts for least-privilege analysis.

Commands

Script Description
ADPermissionsAnalyzer.build Build script for ADPermissionsAnalyzer. Run with: Invoke-Build [Task] [-Configuration <Debug
Install-GitHooks Installs a Git pre-push hook that runs Invoke-Build Build before each push.
Invoke-ADPermissionAnalysis Produces a comprehensive inventory of every DACL ACE on every object in a single
Active Directory domain, across all naming contexts, for least-privilege analysis.
Phase1-DiscoveryAndMaps Phase 1 helpers for AD Permissions Analyzer: LDAP bind, naming-context discovery,
and GUID/SID map construction.
Phase2-Enumeration Phase 2 helper for AD Permissions Analyzer: paged enumeration of every
object in a naming context together with its raw nTSecurityDescriptor.
Phase3-AceParsing Phase 3 helpers for AD Permissions Analyzer: nTSecurityDescriptor parsing,
ACE record decoding, and the runspace-pool dispatcher.
Phase4-TrusteeResolution Phase 4 helpers for AD Permissions Analyzer: trustee SID resolution,
transitive group expansion, and the well-known-SID skip set.
Phase5-InheritanceSource Phase 5 helpers for AD Permissions Analyzer: streaming composite-key
index over explicit ACEs + inheritance source resolution rewriter
with DACL_PROTECTED short-circuit.
Phase6-Output Phase 6 helpers for AD Permissions Analyzer: streaming detail CSV writer
plus the (ACE x effective-trustee) join, RFC-4180 field escaper, the
incremental pivot accumulator, and the pivot CSV writer.