Vyapin Blogs

Vyapin’s Audit solution for Active Directory helps you to take complete control over your auditing and reporting needs for your entire Active Directory. Vyapin’s solution lets you audit not only your entire AD configuration but also audit all the changes that occur over a period of time in your AD.

Vyapin provides two product solutions for your AD audit – Admin Report Kit for Active Directory (ARKAD) and Active Directory Change Tracker (ADChangeTracker). 

The ARKAD product generates a variety of reports that help you understand how your AD has been configured, document everything that resides in your AD and review and analyze all the security controls that have been implemented. The ADChangeTracker product helps you to document and analyze all critical changes made to your AD by reporting what exactly changed, along with the new and old values, when the change was made, where the change happened in your Active Directory and the tool also determines who made the change by looking up the Security Event logs of your audit-enabled Active Directory.

The two solutions work together to provide you one single comprehensive solution to address all the reporting needs of AD Administration, Change Management and Compliance. Having both the products in your tool chest will eliminate the need for creating your own custom scripts and using small freeware scripts and tools that have very limited purpose. 

The ARKAD solution helps you to

• Perform a complete AD Security Audit - Who has access to what in your Active Directory
• Audit and Track AD Users and Groups information – how users and groups have provisioned and organized, including complex nested groups and multi-group memberships.
• Identify and report on all control related aspects of User account management – Password Expiry, Password setting, Last logon etc. 
• Take complete control of OU management – report on OUs, Delegation of administration, Group policies etc.

The ADChangeTracker solution helps you to

• Track and audit all changes made to Active Directory, across your enterprise. Track changes to critical OUs and containers. Track GPOs for changes.
• Track changes with or without using Active Directory’s native auditing capabilities.
• Track all critical changes by consolidating Active Directory audit events from all your domain controllers’ security event logs.
• Store several years of Change data in a SQL database for security, compliance and regulation purposes.
• Search your entire Change History using powerful Search criteria – search for additions, deletions and modifications on specific users, groups, OUs, object property values etc.

Vyapin announces the release of its new product Active Directory Change Tracker version 1.0, a powerful tool to track, analyze, and report all changes made to your AD configuration.

Active Directory Change Tracker audits all changes made to your Active Directory by periodically collecting only the changed data, reporting what exactly changed, along with the new and old values, when the change was made, where the change happened in your Active Directory. Active Directory Change Tracker also determines who made the change by looking up the Security Event logs of your audit-enabled Active Directory.

For further information about Vyapin’s Active Directory Change Tracker version 1.0, you can view the product information and download a 15-day trial copy from the product
home page.

Active Directory Users and Computers (ADUC) supports the concept of nesting groups, or adding groups to other groups. Nesting groups can help to reduce the number of permissions that has to be given to key individuals, or to vital groups. 

Effectively nesting groups in a multi domain environment reduces the network traffic between the domains and simplifies the network administration in a domain tree.

Maintaining more number of nested groups is a real pain, because without our knowledge some of the nested groups may get looped. Say for an example there are four groups in an Active Directory Domain like Developers, Quality Checkers, Technical Advisors and Technical Leaders.

In the above scenario, Developers, Quality Checkers and Technical Leaders forming a group in a loop in an ADUC (Active Directory Users and Computers). In a large environment, it is very difficult to find the number of groups that form a loop in a domain.

Our latest version of Admin Report Kit for Active Directory (ARKAD) has got the necessary features to view a number of nested groups, and a number of groups that are forming a loop in a domain. The following figure displays the groups that are forming a loop in ‘SPACENET’ domain.

For further information about ARKAD, you can view the product information and download a 15-day trial copy from the product
home page.

Our much anticipated major release of ARK for Active Directory (ARKAD) version 7.0 is finally here with the following new features included,

• ARKAD is now available in two editions: Standard and Advanced. Click here to know the differences.
• Custom LDAP Queries: Allows the user to create their own Quick Reports to search only the specified domain partition, and searches can be narrowed down to a single container/OU object. Users can also specify their own LDAP queries.
• Ability to manage list of Active directory Domains in a single place to generate reports for various domains.
• Ability to connect to other forest domains with alternate credentials and also save the credentials for later use across application sessions.

For further information on ARK for Active Directory (ARKAD), visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

The primary objective of having individual user accounts and computers clubbed as ‘Groups’ in Active Directory registry is to simplify the administration overhead involved in managing numerous Active Directory objects. With Groups, it is easy for the IT administrators to define policies for similar objects and manage them under a common schema. However, monitoring the increased number of groups and their members could be really challenging for the administrators. Taking stock of groups and its corresponding members along with their rights and permissions within the domain could be manually tiresome. Prevalent security vulnerabilities and increased compliance requirements warrant constant ’sanity’ checks and a reliable third party reporting solution would be the need of the hour to draw insights on the Active Directory groups.

Admin Report Kit for Active Directory (ARKAD) with its out-of-the-box Groups’ reports allows administrators to monitor the Active Directory groups effectively and ensure strict adherence to compliance requisites.

‘Built-In’ Groups report: The following Built-In reports allow users to readily generate information on frequently accessed information about Active Directory Groups:

• Recently Created/Modified/Deleted groups:
  

Recently created/modified/deleted groups’ reports provide information on the groups created, modified and deleted within the specified time corresponding to the domain.

• Groups that have no members:
  

Groups that have no members report gives information on the groups within a domain that are empty with no members.

• Groups that have more than N members:
  

Groups that have more than N members report lists groups within a domain with more than the specified number of members in them.

• Groups that have less than N members:
  

This report lists the groups with less than the specified number of members in them within a domain.

• Groups that are not a member of any other group:
  

This report displays the list of groups that are not members of other groups within the domain.

• Groups that are member of more than N groups:
  

This report gives information on groups that share membership with more than the specified number of groups within a domain.

• Universal Groups:
  

This reports the list of Universal Groups corresponding to the domain.

• Global Groups:
  

This reports the list of Global Groups within a domain.

• Domain Local Groups:
  

This report lists the Domain Local Groups corresponding to the domain.

• Distribution Groups:
  

Distribution Groups report lists the Distribution Groups i.e. groups used for non-security purposes as in mailing list within a domain.

• Security Groups:
  

Security Groups report lists the Security Groups i.e. groups which have domain specific users as its members within a domain.

• List of groups in an OU:
  

This report lists the groups within a specified Organization Unit corresponding to a domain.

• Groups with only User accounts:
  

This report lists the groups with only individual user accounts as their members within a domain.

• Groups with only Computer accounts:
  

This report lists the groups with only Computer accounts as their members within a domain.

Quick reports: Quick reports are a bunch of pre defined reports that allow administrators to retrieve frequently accessed information corresponding to each AD objects. The following are some of the significant Quick reports on Group accounts:

• Groups that are member of another group:
  

This report lists the groups which share membership with other groups.

• Members of Administrators group:
  

This report lists the members of the Administrators group corresponding to a domain.

• Member of Domain Admins group:
  

This report lists the members of Domain Admins group corresponding to the domain.

• Members of Enterprise Admins group:
  

This report lists the members of Enterprise Admins group corresponding to the domain.

• List of Managed Groups:
  

List of Managed Groups report lists the details of groups having managers.

• List of Unmanaged Groups:
  

List of Unmanaged Groups report gives information on the groups without managers.

• Groups that are not a member of any other Group:
  

Groups that are not a member of any other Group reports details of groups that does not share a membership with any other group within the domain.

• Nested Groups that form a loop:
  

This report displays information about Nested groups corresponding to a domain that end up forming a loop.

• Nested Groups:
  

Nested Groups report lists information about Nested Groups within a domain.

Insight Reports->Groups: The Insight report is a powerful feature to report summarized and detailed information about the AD objects. These reports are based on numbers i.e. frequency of occurrence corresponding to objects’ attributes. Insight reports also can be customized by specifying values against certain parameters for each report to generate a custom view of the report. The reports enable administrators to gain meaningful insights on Active Directory infrastructure.

Consider a situation where the administrators wishes to take stock of the entire domain and list groups which have less than the specified number of members. Enumerating the groups and monitoring their membership details manually would prove a daunting task for the administrators. Let’s see how ARKAD reports the details of groups with lesser members.

Screenshot of Built-in reports-Report Selection:

The above screenshot shows the report, “Groups that have less than N members” being selected from the list of Built-in reports.(Built-In reports–>Built-In Object reports–>Groups–>Groups that have less than N members).

Screenshot of specifying report parameters:

The value corresponding to the report parameters is specified. Group with less than five members would be reported.

Screenshot of Field selection:

The above screenshot shows the list of Available Fields and the Selected Fields corresponding to the report. The fields that are to be reported can be customized to generate meaningful information across the desired fields. The arrangement of the fields within the report can also be customized to make it easy for the administrators to access critical information.

Screenshot of Domain Controller Selection:

The above screenshot allows the user to specify the ‘Domain Controller Name’ corresponding to which the details of groups are to be listed.

Screenshot of Groups that have less than N members:

The above screenshot shows the list of groups within the domain having less than 5 members. The report can also be customized through the Quick Filter and Advanced Filter options wherein logical conditions can be applied to the reported information to give a custom view.

Admin Report Kit for Active Directory (ARKAD) with its cutting edge Group reports allows administrators to monitor and manage Groups better in an Active Directory topology and makes management reporting easy.

For a 15 day free trial, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm .

Managing an increasingly scalable Active Directory registry and monitoring the numerous user accounts and their attributes is almost a nightmare to the IT administrators. With Active Directory being the central repository of information without any native tools for advanced reporting , it is almost impossible for administrators to retrieve information about individual user accounts within a domain. Frequent monitoring of the network infrastructure is also a must, given the organizations’ chances of loosing track of obsolete user accounts thereby leading to security and policy violations. Not to forget the increasing compliance requirements that an organization faces in today’s context.

Admin Report Kit for Active Directory (ARKAD) was engineered to address these hardships of the IT administrators. With its incisive ‘Users ‘reports, ARKAD makes it easy for the administrators to take stock of the entire Windows network and monitor the associated users efficiently and meet the necessary compliance requirements.

‘Built-In’ Users reports:

ARKAD contains the following ‘Built-In’ reports which enable the administrators to readily generate frequently accessed information about individual user accounts,

Recently created/modified/deleted users reports provide information on the user accounts created, modified and deleted over a specific period of time.

This report enumerates the list of user accounts corresponding to the domain that are to change their passwords at next logon.

Users who cannot change their password report displays the list of user accounts who do not have the privilege to change their account password.

Users whose password never expires report gives information on the user accounts whose password does not expire.

This report displays the user accounts corresponding to a domain whose password expires within the given period of time.

List of Users in an OU report enumerates the list of individual user accounts in an Organizational Unit. Specific containers within a domain can be chosen and the sub containers within them can also be included to report the individual user accounts within.

User accounts that expire in the time period report gives the details of individual user accounts that expire within the specific period of time.

Users whose password is stored using reverse encryption report displays the list of user accounts whose passwords are stored by decrypting the encrypted version.

This report lists user accounts corresponding to a domain who require a smart card as part of their interactive logon.

User accounts that are trusted for delegation report enumerates the list of user accounts having delegated rights i.e. user accounts that are trusted for delegation.

User accounts that are sensitive and cannot be delegated report lists the sensitive user accounts that cannot be delegated.

User accounts that use DES encryption types of keys report lists the individual user accounts that use Data Encryption Standard encryption type keys.

This report lists individual user accounts that do not mandate Kerberos protocol based pre-authentication for log on.

Users who have not logged on recently report lists user accounts who have not logged on within the specified time period.

Users who have logged on recently report lists user accounts who have logged on recently within the specified time period.

Users without Logon script report enumerates user accounts without logon script corresponding to a domain.

Users Dial-in permissions report lists the Dial-in permissions corresponding to the user accounts within a domain.

Domain Admins only report displays the list of user accounts who are members of Domain Admins group.

This report enumerates the failed last logon details of individual user accounts corresponding to a domain.

Users Logon Workstations report lists of users and details of their logon to workstations.

Users and their dates of last password change report displays user accounts’ recent password change details.

Quick Reports: Quick reports, a powerful feature in ARKAD allows users to extract specific information from Active Directory domain. In other words, they are pre-defined set of reports corresponding to each AD object which allow users to generate reports on frequently accessed information with no loss of time. The following are some of the Quick reports on user accounts within a domain to enable faster reporting,

Users who are in Memberof Administrators Group report lists users who are members of Administrators group within the specified domain.

This report lists the individual user accounts who are members in Enterprise Admins group corresponding to the domain.

List of Users having managers report displays details of individual user accounts having managers.

Users without managers report displays details of individual user accounts which do not have a manager.

List of manager based users report displays details of users which are managers by themselves.

Dial-in Allowed Users report displays the list of users with Dial-in allowed permissions.

Dial-in Denied Users report displays the list of users with Dial-in Denied permissions.

Users with logon script report displays the list of user accounts with logon script.

Consider a scenario where the IT administrator intends to list the users who need to change their passwords during their next logon. Looking into each user account manually and retrieving the information is beyond question.

Let’s see how ARKAD generates this report for IT administrators.

Screenshot of Built-in Reports-Report Selection:

The above screenshot shows “Users required to change password at next logon” report selected from the list of Built-in reports. (Built-In reportsàUsers required to change password at next logon).

Screenshot of Built-in Reports-Field Selection:

The above screenshot shows the list of Available Fields and the Selected Fields corresponding to the report. The fields that are to be reported can be selected to generate meaningful information across the desired fields. The arrangement of the fields within the report can also be customized such is the degree of control over the reporting process vested on its users by ARKAD.

Screenshot of Built-in Reports-Domain Controller Selection:

The corresponding Domain name and the Domain controller which has to be looked into for the user account information are selected.

Screenshot of Users required to change password at next logon report:

The above screenshot shows the list of individual user accounts who need to change their passwords at next logon.

Admin Report Kit for Active Directory (ARKAD) with such out-of-the-box user reports makes Active Directory monitoring and reporting easy and is certainly a value add to the IT infrastructure.

For a 15 day free trial, visit our ARKAD product page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm.

Our much anticipated major release of Admin Report Kit for Active Directory (ARKAD) version 6.2 is finally here with the following new features included,

1. AD Summary Reports: ARKAD now comes up with the ability to report object-specific significant information in a powerful summarized view. AD Summary reports displays summarized vital information about Domains, Organizational Units, Computer Accounts and groups.
2. Quick Reports: Quick reports allow the users to restrict the scope of reports to include only specific entities within the domain and generate meaningful information faster. This saves the users from the time involved in scanning the entire domain to retrieve information about specific objects. This is especially useful for oft repeated administrative tasks.
3. ARKAD now allows the user to schedule reports by e-mail. The reports can be scheduled to later hours to reduce the operational load and can be automatically mailed across to the desired recipients.
4. Custom Queries: With ARKAD, it is now possible for users to create their own reports. Custom Queries feature within the Quick reports allow the user to create a custom report by defining logical queries and generating the reports within the ARKAD framework. A custom query can be used to extract information from various containers across the directory.
5. Additional user attributes such as Employee ID, Employee Number, Department Number, Division, Car License etc. can be now retrieved using ARKAD. This additional information better qualifies the users associated with the directory.
6. Computers’ last logon date and time: ARKAD retrieves the last logon date and time of a computer specific to domain controllers within a domain and reports the most recent value as the computer’s last logon date and time.
7. ARKAD now reports the list of nested groups and nested groups that form a loop. (Quick reports->List of nested groups that form a loop).

Admin Report Kit for Active Directory (ARKAD) with its above features could very well be indispensable for any Active Directory infrastructure.

For further information on ARKAD, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

Forests are at the top of the Active Directory hierarchy. Forests comprise within themselves one or more domain trees (independent or interdependent) administered by a common schema. Usually a networking infrastructure contains in it a Forest at the top level. The objects within the Forests are controlled by the Forest Root Domain, created initially when the Active Directory is installed for the first time. With companies operating across geographies, the Active Directory has expanded rapidly resulting in the Forests’ topology becoming increasingly complex. To administer an Active Directory infrastructure with multiple forests spread across geographies is no easy task. Imagine the volume of data that would be generated or the number of individual entities that have to be looked at.

Admin Report Kit for Active Directory (ARKAD) has in it numerous out-of-the-box reports that present a bird’s eye view of the Active Directory topology at a Forest Level. Through these reports ARKAD allows administrators to generate reports across multiple domains and take stock of the entire forest.

Domain Reports at a Forest level gives information about the various properties of domains within a forest. The domain controllers within the respective domains and the trust relationships (trusting or trusted) prevailing between them are also reported. The administrator corresponding to each domain, their permissions and the security settings are some of the other significant information reported at a forest level. Auditing information corresponding to the changes made within the domain can be viewed under ‘Auditing’ report. The Group Policy report gives information about the group policies that are applicable to the corresponding domains. The ‘Delegated Permissions’ report gives an insight on the users with their delegated tasks within the domain.

Site Reports at a Forest level provides configuration settings corresponding to sites within a forest. The location of the sites and their created and modified dates are reported in the ‘Location’ and ‘Object’ reports respectively. The ‘Security’ and ‘Auditing’ reports give information about the permissions associated with the sites and their auditing information respectively. The Group Policy Objects linked to the corresponding sites is reported in the ‘Group Policy’ report. The ‘Delegated Permissions’ reports users with delegated tasks within the sites.

Forest Level Group Reports provide information about various group settings corresponding to groups within a forest. Information about the members within the groups and the membership details of groups themselves are reported in ‘Member’ and ‘Member Of’ reports corresponding to the Forest. The created date and modified date values and details of the administrators managing the groups are also displayed. The Permissions associated with the members of the group and the auditing information are other relevant information reported. The ‘Deleted Object’ report displays information on the groups recently deleted.

Forest Level User reports enumerate the Users and their account information associated with the domains within a forest. The User display names, address, account details, profile path, telephone numbers, organization and position related details are effectively reported. The users’ membership details are also reported. Created Date and Modified date field values are displayed. The Permissions granted, their type along with the auditing information is retrieved in the ‘Security’ and ‘Permissions’ reports. The Last logon date of the corresponding user account and other relevant information such as Password Last Set date, Password expiration date etc. are reported in the ‘Additional Account Info’ report. The Password Settings Objects policies (applicable to Windows 2008 Domain Controllers) defined for users within the forest and the precedence level of such policies can be viewed under ‘Effective PSO (Win 2008)’. The deleted user accounts within the forest are reported under ‘Deleted Objects’ report.

Contact reports are similar to the User reports and display information about the Contacts corresponding to the forest. The Contact information such as display names, address, telephone numbers, organization and position held are some of the relevant information reported. The Membership details of contacts are also reported. The Created Date and Modified date values are some of the other significant information reported in ‘Object’ report. The Permissions defined against the Contacts and the auditing information are displayed under ‘Security’ and ‘Auditing’ reports. The information about deleted contacts and their last known parent are reported in ‘Deleted Objects’ report.

Group Policy Objects reports display information about the various Grouped Policy Objects within the forest. The details of Group Policy Objects linked with various objects within the forest are reported under ‘Links’ report. The objects that are connected to various GPOs and the corresponding details are reported in the ‘SOM Links’ report. The Security settings corresponding to each object, auditing information associated and related comments are retrieved for the administrator through the ‘Security Filtering’, ‘Security’ and ‘Auditing’ reports. ‘Deleted Objects’ reports deleted Group Policy Object corresponding to the forest.

Consider an example where the administrator wishes to generate a report on Trust relationships across various domains within a forest. Generating this report manually would be a cumbersome process.

Lets see how ARKAD does this with considerable ease. The following screenshot shows the Trust Relationship across domains within a forest

ARKAD with its out-of-the-box forests reports addresses administrators’ reporting needs with considerable finesse.

For a 15-day free evaluation visit our product home page at <http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

Last-Logon attribute is one of the non-replicated attributes in Active Directory Domain Services, which means that each domain controller in a domain holds its own copy of the attribute, likely with different values. Similarly each Domain Controller in a domain stores different values as computers’ Last-Logon date and time. To access the latest logon time of a computer, we need to visit each domain controller and their corresponding attributes manually.

 Our Admin Report Kit for Active Directory retrieves the last Logon attribute from all Domain Controllers in a domain and delivers the most recent time a computer has logged onto the domain.

 The following image shows the last logon value of the computer,’RD55′ corresponding to RD48.Spacenet.local Domain controller.

 The following image shows the last logon value of the computer ‘RD55′ corresponding to RD45.Spacenet.local Domain controller.

The following image shows the most recent Log on date and time of RD55.  ARKAD enumerates last logon values from all the Domain Controllers in a domain and retrieves the most recent value among all the DC’s.

NTFS Permissions reports on Files, Folders and Shares using Admin Report Kit for Windows Enterprise.

There are several powerful features available in Admin Report Kit for Windows Enterprise to generate reports on NTFS permissions on files and folders residing in servers and workstations across multiple domains in the network. All reports may be scheduled and generated for multiple computers, users, and groups for multiple domains as a batch job.

The Permissions Reports section under the built-in reports feature (out-of-the-box reports) includes specific reports that report exclusively on reporting the access permissions assigned to users and groups on files, folders and shares. Our NTFS permissions reporting tool has several flavors of reports designed specifically for the administrator’s convenience. The following questions can be easily answered using these multi-dimensional reports:
1. Given a selected set of Users and Groups, which files and folders do they have access to across computers in a domain?
2. Given a selected set of files, folders and shares across computers, which users and groups have access to these?
3. Which users have inherited access permissions by virtue of their group membership (even though they may not have been granted explicit permissions)?
4. What permissions have been assigned to users both explicit and inherited through nested groups? One single report showing both.
5. What are the net effective permissions for users and groups on a set of folders?
6. How are nested groups affecting NTFS permissions on files and folders?

Here is a walkthrough of how to generate NTFS Permissions Reports using Admin Report Kit for Windows Enterprise (ARKWE):

Click on the Permissions Reports menu item under the Built-in Reports button in the toolbar.

The following NTFS Permissions Reports are available:

List of permissions for specific users and groups on folders
Reports the folder permissions assigned to specific users and/or groups on a selected set of folders.

List of permissions for folders
Reports the permissions associated with a selected set of folders.

List of permissions for specific users and groups on files
Reports the files permissions assigned to specific users and/or groups under a selected set of folders.

List of permissions for files
Reports the permissions associated with files under a selected set of folders.

List of all permissions for folders (Inherit & Explicit)
Reports the permissions for users assigned in the folders directly and inherited by means of nested groups.

List of effective permissions for users and groups on folders
Reports the effective permissions for users and groups for a set of folders.

List of effective permissions for users and groups on files
Reports the effective permissions for users and groups for files available in a set of folders.

Apart from the above out-of-the-box NTFS Permissions Reports, several standard customizable reports on various share and folder resources are available. These may be customized and scheduled as batch jobs for multiple computers and domains.

Please click on the following to download and evaluate the above features in Admin Report Kit for Windows Enterprise.
http://www.vyapin.com/products/windows-audit/windows-reports.htm