How to Get an Active Directory User Permissions Report

Using PowerShell

Open the Powershell ISE → Create a new script with the following code, specifying the username and path for the export → Run the script.

Import-Module ActiveDirectory
Get-ADUser -Identity 'User Name' |
%{(Get-ACL "AD:$($_.distinguishedname)").access} |
Export-Csv -Path C:\data\AdUser_Permissions_Report.csv -NoTypeInformation


#Specify path as required a location to export as csv format.

Start Microsoft Excel and open the file produced by the script.

How Lepide can Help

Lepide Auditor for Active Directory overcomes the difficulty of PowerShell scripting by providing a comprehensive report which lists all the groups that a user has access to with the User’s Group Membership Report. The Permissions by Object report can then be used to show how those permissions were derived. Examples of these reports are shown below:

In the above example, the report has been grouped by User and we can see all the groups that the user belongs to. We can see that one of the Groups that the user Adam belongs to is the Doctors group.

The User’s Group Membership Report is straightforward to run using the following steps:

• From the States and Behavior screen, expand Active Directory Reports, User Reports and then choose the User’s Group Membership Report
• Click Generate Report
• Drag the User Name column heading to the grouping area to group by user

We can then use the Permissions by Object report to see how the permissions for the Doctors group were derived.

The Permissions by Object Report can be used to see how those group permissions were derived:

The Permissions by Object Report is straightforward to run using the following steps:

• From the Permission and Privileges screen, choose Permissions by Object
• Select a File Server and click Generate Report
• Expand the tree structure on the left-hand side to see the relevant object