An Active Directory User Permissions Report is a comprehensive document that details a user’s access rights within Active Directory, including group memberships, explicit access rights assigned directly to the user, and inherited permissions passed down from parent objects or group policies. Active Directory security best practices specify that permissions should be inherited via Active Directory group membership rather than assigned explicitly. However, ensuring that this principle is followed can be a challenge. IT administrators need to review Active Directory user permission reports at least quarterly (every 90 days per NIST SP 800-53 guidelines) to identify how permissions were granted so that they can remove any that were assigned explicitly. Along with this, they need to work with data owners to remove users from groups that grant them unnecessary permissions.
Key reasons to generate AD user permissions reports:
- Meet security compliance audit requirements (SOX, HIPAA, PCI-DSS)
- Detect privilege abuse and unauthorized access escalation
- Fulfill periodic access review requirements
- Identify stale or excessive permissions
- Verify adherence to least-privilege principles
Reviewing permissions regularly minimizes the risk of privilege abuse which then mitigates the occurrence of data breaches. However, the native way to create user permission reports is by using PowerShell, and creating reports in this way together with reviewing the output is a complex and time-consuming process.
In this article, the steps to get an Active Directory User Permissions Report using PowerShell are explained. However, running PowerShell does have several drawbacks, we will look at a solution to this using Lepide Auditor. The Lepide Auditor provides an easier, more straightforward way to create an Active Directory User Permissions Report, and this is explained at the end of this article.
Using PowerShell
Prerequisites
Before running the PowerShell script, ensure the following requirements are met:
- Active Directory Module: The RSAT (Remote Server Administration Tools) Active Directory module must be installed
- Admin Permissions: Account must have read access to AD objects and user permissions
- PowerShell Version: PowerShell 5.1 or later recommended
Steps to Generate the Report
- Open the PowerShell ISE as Administrator.
- Create a new script with the following code, specifying the username and path for the export.
# Import the Active Directory module to access AD cmdlets Import-Module ActiveDirectory # Retrieve the specified user object from Active Directory Get-ADUser -Identity 'User Name' | # For each user, get the Access Control List (ACL) from their AD object # and extract all permission entries (access rules) %{(Get-ACL "AD:$($_.distinguishedname)").access} | # Export the permission data to a CSV file at the specified path Export-Csv -Path C:\data\AdUser_Permissions_Report.csv -NoTypeInformationNote: Specify path as required for the location to export in CSV format.
- Run the script by pressing F5 or clicking the Run button.
- Start Microsoft Excel and open the file produced by the script.
How Lepide can Help
Lepide Auditor for Active Directory overcomes the difficulty of PowerShell scripting by providing a comprehensive report which lists all the groups that a user has access to with the User’s Group Membership Report. The Permissions by Object report can then be used to show how those permissions were derived. Examples of these reports are shown below:
In the above example, the report has been grouped by User and we can see all the groups that the user belongs to. We can see that one of the Groups that the user Adam belongs to is the Doctors group.
The User’s Group Membership Report is straightforward to run using the following steps:
- From the States and Behavior screen, expand Active Directory Reports, User Reports and then choose the User’s Group Membership Report
- Click Generate Report
- Drag the User Name column heading to the grouping area to group by user
We can then use the Permissions by Object report to see how the permissions for the Doctors group were derived.
The Permissions by Object Report can be used to see how those group permissions were derived:
The Permissions by Object Report is straightforward to run using the following steps:
- From the Permission and Privileges screen, choose Permissions by Object
- Select a File Server and click Generate Report
- Expand the tree structure on the left-hand side to see the relevant object
PowerShell vs Lepide Auditor
Frequently Asked Questions
An AD user permissions report typically includes group memberships, explicit permissions assigned directly to the user account, inherited permissions from parent organizational units, and access control entries (ACEs) that define what actions the user can perform on AD objects.
Per NIST SP 800-53 guidelines, AD user permissions should be reviewed at least quarterly (every 90 days). Organizations in highly regulated industries may require monthly reviews, while critical privileged accounts should be reviewed more frequently.
Lepide Auditor is the recommended approach for non-technical administrators. It provides a GUI-based interface with pre-built reports that require no scripting knowledge, allowing users to generate comprehensive permissions reports in just a few clicks.