Fix Intern God-Mode
in AD/Entra.

Remediation & rollback toolkit for over-provisioned permissions. Find who has access they shouldn't. Fix it. Roll back if something breaks.

Built by a practitioner who was tired of seeing it.

the problem
PS> Get-ADGroupMember "Domain Admins"
SamAccountName : jsmith_intern
ObjectClass : user
DistinguishedName : CN=Jordan Smith,OU=Interns,DC=corp...
 
// hired 3 weeks ago. has Domain Admin.
// nobody knows who did this or why.
PingCastle says you have 47 critical findings.

Now what? It doesn't fix them. Neither does Purple Knight. They scan. They report. You still have to do the work.

Semperis DSP will fix it for $100k+/year.

Enterprise ITDR platforms are great if you have a six-figure security budget. Most teams don't.

what you get
Scan discovery
  • Enumerate all over-provisioned accounts in AD and Entra ID
  • Flag accounts with privileges that don't match their OU or role
  • Export findings as structured JSON for your records
Remediate fix
  • Strip excessive group memberships and delegated permissions
  • Right-size accounts to least-privilege based on OU context
  • Batch operations with dry-run mode
Rollback undo
  • Snapshot permissions before any change
  • One-command rollback to previous state
  • Granular: rollback a single account or the entire batch
how it works
01

Run the scan

Point it at your AD forest or Entra tenant. It finds every account with more access than it should have.

02

Review the findings

JSON output with every over-provisioned account, what they have, and what they should have. Dry-run before you touch anything.

03

Remediate

Fix permissions in bulk or one at a time. Every change is snapshoted before execution.

04

Rollback if needed

Something break? Roll back one account or the whole batch. Permissions restored to pre-remediation state.

vs everything else
Tool Scan Fix Rollback Price
PingCastle yes no no free
Purple Knight yes no no free
Semperis DSP yes yes yes $100k+/yr
Algono yes yes yes $400
pricing
$400
One-time purchase. No subscription. No per-seat licensing.

The intern shouldn't have Domain Admin.
Now there's a $400 way to fix that.