Free · Single binary · No signup

See your Active Directory the way an attacker does.

PrivLens is a free Active Directory security scanner and AD assessment tool that finds misconfigurations attackers exploit — and delivers a client-ready PDF report in seconds. Run local Active Directory checks and hardening scans with no install, no internet, and no agents.

Community Edition
  • Free Forever
  • 7 essential AD checks
  • No account or license required
Get PrivLens
Windows · runs as current user · zero dependencies
privlens.exe — Domain Controller
PS C:\> .\privlens.exe
→ Connecting to domain CORP.LOCAL ...
→ Enumerating users, groups, policies ...
✓ 1,284 users · 312 groups scanned
⚠ Domain Admin exposure — 9 accounts
⚠ 47 inactive privileged accounts
⚠ Empty password policy findings
✓ Report saved: privlens-report.pdf
PS C:\>  
What is PrivLens

An Active Directory security assessment tool you can actually use.

For IT admins, security teams, consultants, and MSPs — anyone responsible for Active Directory security, compliance, and hardening. Built for fast AD checks with clear, actionable results.

Runs in seconds

Double-click the binary. It uses your current credentials, reads the directory read-only, and writes a report. That's the whole workflow.

Never leaves the network

No internet calls, no telemetry, no data upload. Everything stays on the machine it runs on. Safe to run in the most sensitive environments.

Instantly shareable

A clean PDF report ready to hand to your team, your boss, or your clients — no explanation needed, no manual rewriting.

Focused, not bloated

A curated set of high-impact checks that rarely misfire — chosen so you never have to apologize to a client for a false positive.

Active Directory security scanning

AD checks, rules, compliance, and hardening — in one assessment tool

PrivLens is built for teams that need reliable Active Directory security scanning without enterprise complexity. Run a focused set of Active Directory checks against proven security rules, assess compliance gaps, and prioritize hardening — all from a single Windows binary that never sends AD data off-premises.

Active Directory checks

High-impact AD checks for privileged access, delegation, Kerberos exposure, stale accounts, and other common attack paths — designed to surface real risk, not noise.

Active Directory rules

A curated catalog of Active Directory security rules mapped to severity and remediation — from Community essentials to Professional and Enterprise coverage on the pricing page.

Active Directory compliance

Document identity and access posture for audits, client engagements, and internal reviews. Every finding includes context and a remediation step for faster Active Directory compliance follow-up.

Active Directory hardening

Turn scan results into a hardening backlog: fix excessive Domain Admins, close delegation gaps, rotate stale credentials, and reduce Kerberoastable exposure before attackers find them.

Sample report

The report PrivLens generates — ready to share with your client.

A self-contained PDF: a clear coverage summary, every issue grouped by severity, and a remediation step for each finding.

C:\Users\admin\privlens-report.pdf

AD Security Assessment

CORP.LOCAL · Scanned 2026-05-28 14:32 · PrivLens v1.0
Coverage
7checks run
▸ show all checks
Issues found
17Critical
63Warnings
CHK-01Domain Admin exposure9 findings
CHK-02Password never expires2 findings
CHK-03Inactive privileged accounts47 findings
CHK-04Service accounts with admin rights3 findings
CHK-05Empty password policy findings3 findings
CHK-06Basic delegation issues1 finding
CHK-07High-level AD healthpassed
Critical
9 accounts with Domain Admin exposure

Excessive privileged membership widens the attack surface. Several appear to be standard user or service accounts rather than dedicated admin identities.

FIX → Reduce to a minimal set of dedicated admin accounts. Remove service and daily-driver accounts.
Warning
47 inactive privileged accounts

Inactive but enabled privileged accounts are prime targets — nobody notices when they're abused.

FIX → Disable accounts inactive beyond your policy window; review before deletion.
Critical
3 service accounts with admin rights

Service accounts in privileged groups expand the blast radius of any credential compromise.

FIX → Remove service accounts from Domain Admins and other privileged groups; use tiered admin access instead.
Warning
Empty password policy findings (3 settings)

Minimum length is below baseline and account lockout is not enforced, weakening every account in the domain.

FIX → Raise minimum length to 14+, enable complexity, and set a sensible lockout threshold.
Warning
2 privileged accounts with password never expires

Static passwords on privileged accounts never rotate, making long-term compromise harder to detect.

FIX → Enforce password expiration on privileged accounts or migrate to managed password solutions.
Generated locally by PrivLens · No data left this machine · privlens.com

↑ The v1 PDF report. Self-contained, shareable, client-ready.

Updates & feedback

Get notified on updates

New checks, Pro features, and release news. Share feedback if you like — no spam, occasional updates only.

✓ Added.
Enter an email, feedback, or both. See our Privacy Policy.