AD Permissions Reporter - Online Manual

Online Manual

Creating Profiles

Profiles in AD Permissions Reporter allow you to configure and save specific scan settings for repeated use. Creating the right profile is crucial for efficient and accurate permission reporting.

Adding a New Profile

To create a new profile:

  1. From the Home screen, click the "Add Profile" button
  2. The Profile creation screen will open with two tabs: General and Options

Profile Creation Screen

General Settings

In the General tab, configure these basic settings:

Profile Information

Enter a descriptive name for your profile. Choose something that helps you identify the profile's purpose or scope.

Domain Settings

Configure the Active Directory domain to scan:

  • Domain - Select from the dropdown of available domains or choose "Custom..." for a specific domain controller
  • Custom Server - If using a custom connection, enter the server name or IP address
  • Port - Specify a custom port if not using the default (389)

Authentication

Determine how to authenticate to the domain:

  • Use current credentials - Use your currently logged-in account (default)
  • Use custom credentials - Enable to provide specific username and password

Custom credentials are useful when your current account doesn't have sufficient permissions or when scanning remote domains.

Scan Configuration

Define what to scan and how deep:

  • Scan Target - Choose what type of objects to include:
    • Organizational Units
    • Containers
    • Group Policy Objects
    • All Objects
    • Custom Filter (with LDAP filter syntax)
  • Audit Scope - Choose between:
    • Scan Entire Domain - Audit the entire domain
    • Custom Scope - Specify particular containers or OUs to audit
  • Entry Points - When using Custom Scope, add specific containers to scan
  • Scan Depth - How deep to scan from the starting point:
    • Base - Only scan selected objects
    • OneLevel - Scan selected objects and direct children
    • Subtree - Scan selected objects and all descendants

Options Tab

The Options tab contains additional settings for the scan:

Permission Display Options

  • Group similar permissions - Consolidate related ACEs for the same principal (like in Active Directory Users and Computers)

Principal Details Options

  • Get display names from Active Directory - Retrieve and show the displayName attribute instead of using sAMAccountName
  • Show disabled status for user and computer accounts - Display different icons for disabled accounts in reports

Group Membership Options

  • Show direct members - Include members directly listed in group's member attribute
  • Expand nested groups - Resolve recursive group memberships (may increase scan time)
  • Include primary group memberships - Include objects where primaryGroupID references the group

Saving Your Profile

After configuring all settings:

  1. Click the "Save" button at the bottom of the screen
  2. If any validation errors occur, they will be displayed at the bottom of the screen
  3. Once saved, your profile will appear in the profile list on the Home screen

Managing Existing Profiles

From the Home screen, you can manage your existing profiles:

  • Click "Edit" on any profile to modify its settings
  • Select a profile and click "Generate Report" to start a scan using that profile

Best Practices

  • Create separate profiles for different organizational units or purposes
  • For large domains, use Custom Scope to focus on specific areas
  • Start with smaller scopes and gradually expand to manage scan time and result complexity
  • Use descriptive names that clearly identify the purpose of each profile
  • Consider using custom credentials with minimal necessary permissions for security

Once your profile is set up, proceed to Generating Reports to start analyzing your Active Directory permissions.

Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA