Vyapin Blogs

The primary objective of having individual user accounts and computers clubbed as ‘Groups’ in Active Directory registry is to simplify the administration overhead involved in managing numerous Active Directory objects. With Groups, it is easy for the IT administrators to define policies for similar objects and manage them under a common schema. However, monitoring the increased number of groups and their members could be really challenging for the administrators. Taking stock of groups and its corresponding members along with their rights and permissions within the domain could be manually tiresome. Prevalent security vulnerabilities and increased compliance requirements warrant constant ’sanity’ checks and a reliable third party reporting solution would be the need of the hour to draw insights on the Active Directory groups.

Admin Report Kit for Active Directory (ARKAD) with its out-of-the-box Groups’ reports allows administrators to monitor the Active Directory groups effectively and ensure strict adherence to compliance requisites.

‘Built-In’ Groups report: The following Built-In reports allow users to readily generate information on frequently accessed information about Active Directory Groups:

• Recently Created/Modified/Deleted groups:
  

Recently created/modified/deleted groups’ reports provide information on the groups created, modified and deleted within the specified time corresponding to the domain.

• Groups that have no members:
  

Groups that have no members report gives information on the groups within a domain that are empty with no members.

• Groups that have more than N members:
  

Groups that have more than N members report lists groups within a domain with more than the specified number of members in them.

• Groups that have less than N members:
  

This report lists the groups with less than the specified number of members in them within a domain.

• Groups that are not a member of any other group:
  

This report displays the list of groups that are not members of other groups within the domain.

• Groups that are member of more than N groups:
  

This report gives information on groups that share membership with more than the specified number of groups within a domain.

• Universal Groups:
  

This reports the list of Universal Groups corresponding to the domain.

• Global Groups:
  

This reports the list of Global Groups within a domain.

• Domain Local Groups:
  

This report lists the Domain Local Groups corresponding to the domain.

• Distribution Groups:
  

Distribution Groups report lists the Distribution Groups i.e. groups used for non-security purposes as in mailing list within a domain.

• Security Groups:
  

Security Groups report lists the Security Groups i.e. groups which have domain specific users as its members within a domain.

• List of groups in an OU:
  

This report lists the groups within a specified Organization Unit corresponding to a domain.

• Groups with only User accounts:
  

This report lists the groups with only individual user accounts as their members within a domain.

• Groups with only Computer accounts:
  

This report lists the groups with only Computer accounts as their members within a domain.

Quick reports: Quick reports are a bunch of pre defined reports that allow administrators to retrieve frequently accessed information corresponding to each AD objects. The following are some of the significant Quick reports on Group accounts:

• Groups that are member of another group:
  

This report lists the groups which share membership with other groups.

• Members of Administrators group:
  

This report lists the members of the Administrators group corresponding to a domain.

• Member of Domain Admins group:
  

This report lists the members of Domain Admins group corresponding to the domain.

• Members of Enterprise Admins group:
  

This report lists the members of Enterprise Admins group corresponding to the domain.

• List of Managed Groups:
  

List of Managed Groups report lists the details of groups having managers.

• List of Unmanaged Groups:
  

List of Unmanaged Groups report gives information on the groups without managers.

• Groups that are not a member of any other Group:
  

Groups that are not a member of any other Group reports details of groups that does not share a membership with any other group within the domain.

• Nested Groups that form a loop:
  

This report displays information about Nested groups corresponding to a domain that end up forming a loop.

• Nested Groups:
  

Nested Groups report lists information about Nested Groups within a domain.

Insight Reports->Groups: The Insight report is a powerful feature to report summarized and detailed information about the AD objects. These reports are based on numbers i.e. frequency of occurrence corresponding to objects’ attributes. Insight reports also can be customized by specifying values against certain parameters for each report to generate a custom view of the report. The reports enable administrators to gain meaningful insights on Active Directory infrastructure.

Consider a situation where the administrators wishes to take stock of the entire domain and list groups which have less than the specified number of members. Enumerating the groups and monitoring their membership details manually would prove a daunting task for the administrators. Let’s see how ARKAD reports the details of groups with lesser members.

Screenshot of Built-in reports-Report Selection:

The above screenshot shows the report, “Groups that have less than N members” being selected from the list of Built-in reports.(Built-In reports–>Built-In Object reports–>Groups–>Groups that have less than N members).

Screenshot of specifying report parameters:

The value corresponding to the report parameters is specified. Group with less than five members would be reported.

Screenshot of Field selection:

The above screenshot shows the list of Available Fields and the Selected Fields corresponding to the report. The fields that are to be reported can be customized to generate meaningful information across the desired fields. The arrangement of the fields within the report can also be customized to make it easy for the administrators to access critical information.

Screenshot of Domain Controller Selection:

The above screenshot allows the user to specify the ‘Domain Controller Name’ corresponding to which the details of groups are to be listed.

Screenshot of Groups that have less than N members:

The above screenshot shows the list of groups within the domain having less than 5 members. The report can also be customized through the Quick Filter and Advanced Filter options wherein logical conditions can be applied to the reported information to give a custom view.

Admin Report Kit for Active Directory (ARKAD) with its cutting edge Group reports allows administrators to monitor and manage Groups better in an Active Directory topology and makes management reporting easy.

For a 15 day free trial, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm .

Managing an increasingly scalable Active Directory registry and monitoring the numerous user accounts and their attributes is almost a nightmare to the IT administrators. With Active Directory being the central repository of information without any native tools for advanced reporting , it is almost impossible for administrators to retrieve information about individual user accounts within a domain. Frequent monitoring of the network infrastructure is also a must, given the organizations’ chances of loosing track of obsolete user accounts thereby leading to security and policy violations. Not to forget the increasing compliance requirements that an organization faces in today’s context.

Admin Report Kit for Active Directory (ARKAD) was engineered to address these hardships of the IT administrators. With its incisive ‘Users ‘reports, ARKAD makes it easy for the administrators to take stock of the entire Windows network and monitor the associated users efficiently and meet the necessary compliance requirements.

‘Built-In’ Users reports:

ARKAD contains the following ‘Built-In’ reports which enable the administrators to readily generate frequently accessed information about individual user accounts,

Recently created/modified/deleted users:

Recently created/modified/deleted users reports provide information on the user accounts created, modified and deleted over a specific period of time.

Users required to change password at next logon:

This report enumerates the list of user accounts corresponding to the domain that are to change their passwords at next logon.

Users who cannot change their password:

Users who cannot change their password report displays the list of user accounts who do not have the privilege to change their account password.

Users whose password never expires:

Users whose password never expires report gives information on the user accounts whose password does not expire.

User accounts whose password expires in the time period:

This report displays the user accounts corresponding to a domain whose password expires within the given period of time.

Active user accounts:

Active User accounts reports user accounts corresponding to a domain that remain active.

List of Users in an OU:

List of Users in an OU report enumerates the list of individual user accounts in an Organizational Unit. Specific containers within a domain can be chosen and the sub containers within them can also be included to report the individual user accounts within.

Disabled User accounts:

Disabled User accounts reports list the user accounts within the domain that are disabled.

Locked out user accounts:

Locked out user accounts lists the individual user accounts within a domain that remain locked out.

User accounts that expire in the time period:

User accounts that expire in the time period report gives the details of individual user accounts that expire within the specific period of time.

Users whose password is stored using reversible encryption:

Users whose password is stored using reverse encryption report displays the list of user accounts whose passwords are stored by decrypting the encrypted version.

User accounts that are required to use smart card for interactive logon:

This report lists user accounts corresponding to a domain who require a smart card as part of their interactive logon.

User accounts that are trusted for delegation:

User accounts that are trusted for delegation report enumerates the list of user accounts having delegated rights i.e. user accounts that are trusted for delegation.

User accounts that are sensitive and cannot be delegated:

User accounts that are sensitive and cannot be delegated report lists the sensitive user accounts that cannot be delegated.

User accounts that use DES encryption types for keys:

User accounts that use DES encryption types of keys report lists the individual user accounts that use Data Encryption Standard encryption type keys.

User accounts that do not require Kerberos pre-authentication for logging on:

This report lists individual user accounts that do not mandate Kerberos protocol based pre-authentication for log on.

Users who are member of more than N groups:

This report lists the user accounts that are members of more than the specified number of groups.

Users who have not logged on recently:

Users who have not logged on recently report lists user accounts who have not logged on within the specified time period.

Users who have logged on recently:

Users who have logged on recently report lists user accounts who have logged on recently within the specified time period.

Users without Logon script:

Users without Logon script report enumerates user accounts without logon script corresponding to a domain.

Users Dial-in permissions:

Users Dial-in permissions report lists the Dial-in permissions corresponding to the user accounts within a domain.

Domain Admins only:

Domain Admins only report displays the list of user accounts who are members of Domain Admins group.

Users and their last logon failure details:

This report enumerates the failed last logon details of individual user accounts corresponding to a domain.

Users Logon Workstations:

Users Logon Workstations report lists of users and details of their logon to workstations.

Users and their dates of last password change:

Users and their dates of last password change report displays user accounts’ recent password change details.

Quick Reports: Quick reports, a powerful feature in ARKAD allows users to extract specific information from Active Directory domain. In other words, they are pre-defined set of reports corresponding to each AD object which allow users to generate reports on frequently accessed information with no loss of time. The following are some of the Quick reports on user accounts within a domain to enable faster reporting,

Users who are in Memberof Administrators Group:

Users who are in Memberof Administrators Group report lists users who are members of Administrators group within the specified domain.

Users who are in Memberof Enterprise Admins:

This report lists the individual user accounts who are members in Enterprise Admins group corresponding to the domain.

List of users having managers:

List of Users having managers report displays details of individual user accounts having managers.

Users without managers:

Users without managers report displays details of individual user accounts which do not have a manager.

List of manager based users:

List of manager based users report displays details of users which are managers by themselves.

Dial-in Allowed Users:

Dial-in Allowed Users report displays the list of users with Dial-in allowed permissions.

Dial-in Denied Users:

Dial-in Denied Users report displays the list of users with Dial-in Denied permissions.

Users with logon script:

Users with logon script report displays the list of user accounts with logon script.

Consider a scenario where the IT administrator intends to list the users who need to change their passwords during their next logon. Looking into each user account manually and retrieving the information is beyond question.

Let’s see how ARKAD generates this report for IT administrators.

Screenshot of Built-in Reports-Report Selection:

The above screenshot shows “Users required to change password at next logon” report selected from the list of Built-in reports. (Built-In reportsàUsers required to change password at next logon).

Screenshot of Built-in Reports-Field Selection:

The above screenshot shows the list of Available Fields and the Selected Fields corresponding to the report. The fields that are to be reported can be selected to generate meaningful information across the desired fields. The arrangement of the fields within the report can also be customized such is the degree of control over the reporting process vested on its users by ARKAD.

Screenshot of Built-in Reports-Domain Controller Selection:

The corresponding Domain name and the Domain controller which has to be looked into for the user account information are selected.

Screenshot of Users required to change password at next logon report:

The above screenshot shows the list of individual user accounts who need to change their passwords at next logon.

Admin Report Kit for Active Directory (ARKAD) with such out-of-the-box user reports makes Active Directory monitoring and reporting easy and is certainly a value add to the IT infrastructure.

For a 15 day free trial, visit our ARKAD product page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm.