PingCastle v3.2.0.12 – Exporting Full Permission Paths for High-Privileged Groups

Products PingCastle Ideas
, ,
1

What is a one sentence summary of your feature request?

Exporting Full Permission Paths for High-Privileged Groups

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The customer has requested the ability to export full permission paths for all high-privileged groups into Excel. This would allow them to perform comprehensive analysis across dozens of domains and identify patterns or anomalies in how permissions are granted, ensuring alignment with their intended design.

How do you currently solve the challenges you have by not having this feature?

As per our Product Team, you can use the Analysis button:
https://www.pingcastle.com/PingCastleFiles/ad_hc_test.mysmartlogon.com.html

  • Navigate to Control Path Analysis → Admin Groups → Details link (shows EVERYONE in it).
  • To see the full path, click on Certificate Publishers or the Analysis link and review the details.
  • You can also hover over each part of the chart for additional information.

What’s not feasible about the workaround:
While this method works, it can be challenging in larger environments because the chart doesn’t provide a straightforward way to analyze permissions across many domains and groups. Exporting directly to Excel is currently not feasible.
Any insights or workarounds would be much appreciated.

1 Like
2

Just a quick export of the XML using “ImportExcel” module (by DFinke) to create an Excel XLSX File.
Example:

image
image2898×506 56.4 KB

Code example that searches the current folder for a “ad_hc*.xml” file and gets some ControlPath Details for creating an Excel file:

$XMLData = [xml] (Get-Content (Get-Childitem ad_hc_*.XML)[0] -RAW)
$i=0
$(foreach ($ControlPath in $XMLData.HealthcheckData.ControlPaths.data.data) {
    $i++
    $ControlPath.Nodes.Node | Select Id,
    Name,
    Type,
    ShortName,
    Distance, 
    @{
        Name="TargetDetails";
        Expression={
            if ($_.Id -eq 0) {
                $ControlPath | Select-Object Name,
                Description,
                Typology,
                ObjectRisk,
                NumberOfDirectUserMembers,
                NumberOfDirectComputerMembers,
                NumberOfIndirectMembers,
                NumberOfDeletedObjects,
                DirectUserMembers,
                DirectComputerMembers,
                IndirectMembers,
                Dependancies,
                DeletedObjects | Convertto-Json
            }
        }
    },
    @{
        Name="LinkedToID";
        Expression={
            $Id = $_.Id;
            $ControlPath.Links.Link | where {$_.Source -eq $Id} | Select-Object -ExpandProperty Target
        }
    },
    @{
        Name="LinkedToName";
        Expression={
            $Id = $_.Id;
            $LinkTargetID = $ControlPath.Links.Link | where {$_.Source -eq $Id} | Select-Object -ExpandProperty Target
            $ControlPath.Nodes.Node | Where {$LinkTargetID -eq $_.Id} | Select-Object -ExpandProperty Name
        }
    },
    @{
        Name="LinkedToHints";
        Expression={
            $Id = $_.Id;
            $ControlPath.Links.Link | where {$_.Source -eq $Id} | Select-Object -ExpandProperty Hints
        }
    }
    
} )| Export-Excel -Now

That could be a good point to start, depending on the needs. I think this data is difficult to display one per line in Excel if you need more details. In my opinion the “analyze” button in the HTML Report, or something dynamic like that, is way better to understand.

1 Like