Question 1

How to set up AD Control Paths for offline analysis without a live domain?

Accepted Answer

You can use a copied ntds.dit file with dsamain to expose LDAP and a robocopy of SYSVOL, then run the dump step with the -sysvolPath and -useBackupPriv options as detailed in the USAGE CONTEXT section.

Question 2

AD Control Paths vs BloodHound: which is better for Active Directory auditing?

Accepted Answer

AD Control Paths excels at handling very large ADs and includes unique Exchange auditing, while BloodHound is more user-friendly with a graphical interface and strong community support. Choose based on scale and specific feature needs like Exchange permissions.

Question 3

Can AD Control Paths audit Exchange Online or Office 365 environments?

Accepted Answer

No, it's designed for on-premises Exchange servers; the README specifies using EWS on a CAS Exchange server and requires an Exchange Trusted Subsystem member account, indicating no cloud support.

Question 4

What credentials are needed to dump Exchange permissions with AD Control Paths?

Accepted Answer

You need an Exchange Trusted Subsystem member account with an active mailbox, but not a Domain Admin or Exchange Admin, due to Deny ACEs, as noted in the DUMP DATA section under the -exchangeCredential option.

Question 5

How to visualize the graphs generated by AD Control Paths?

Accepted Answer

Use the OVALI frontend by opening Visualize/index.html in a browser and loading the JSON files produced from queries; the README suggests disabling physics or clustering nodes for better visibility.

Question 6

Does AD Control Paths support automatic updates for new control paths or AD changes?

Accepted Answer

No, it requires re-running the dump and import steps for updates; the CHANGES section mentions adding new control paths like Kerberos delegation, so periodic re-analysis is recommended to capture changes.

Active Directory Control Paths

What is Active Directory Control Paths?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions