Vyapin Blogs

The primary objective of having individual user accounts and computers clubbed as ‘Groups’ in Active Directory registry is to simplify the administration overhead involved in managing numerous Active Directory objects. With Groups, it is easy for the IT administrators to define policies for similar objects and manage them under a common schema. However, monitoring the increased number of groups and their members could be really challenging for the administrators. Taking stock of groups and its corresponding members along with their rights and permissions within the domain could be manually tiresome. Prevalent security vulnerabilities and increased compliance requirements warrant constant ’sanity’ checks and a reliable third party reporting solution would be the need of the hour to draw insights on the Active Directory groups.

Admin Report Kit for Active Directory (ARKAD) with its out-of-the-box Groups’ reports allows administrators to monitor the Active Directory groups effectively and ensure strict adherence to compliance requisites.

‘Built-In’ Groups report: The following Built-In reports allow users to readily generate information on frequently accessed information about Active Directory Groups:

• Recently Created/Modified/Deleted groups:
  

Recently created/modified/deleted groups’ reports provide information on the groups created, modified and deleted within the specified time corresponding to the domain.

• Groups that have no members:
  

Groups that have no members report gives information on the groups within a domain that are empty with no members.

• Groups that have more than N members:
  

Groups that have more than N members report lists groups within a domain with more than the specified number of members in them.

• Groups that have less than N members:
  

This report lists the groups with less than the specified number of members in them within a domain.

• Groups that are not a member of any other group:
  

This report displays the list of groups that are not members of other groups within the domain.

• Groups that are member of more than N groups:
  

This report gives information on groups that share membership with more than the specified number of groups within a domain.

• Universal Groups:
  

This reports the list of Universal Groups corresponding to the domain.

• Global Groups:
  

This reports the list of Global Groups within a domain.

• Domain Local Groups:
  

This report lists the Domain Local Groups corresponding to the domain.

• Distribution Groups:
  

Distribution Groups report lists the Distribution Groups i.e. groups used for non-security purposes as in mailing list within a domain.

• Security Groups:
  

Security Groups report lists the Security Groups i.e. groups which have domain specific users as its members within a domain.

• List of groups in an OU:
  

This report lists the groups within a specified Organization Unit corresponding to a domain.

• Groups with only User accounts:
  

This report lists the groups with only individual user accounts as their members within a domain.

• Groups with only Computer accounts:
  

This report lists the groups with only Computer accounts as their members within a domain.

Quick reports: Quick reports are a bunch of pre defined reports that allow administrators to retrieve frequently accessed information corresponding to each AD objects. The following are some of the significant Quick reports on Group accounts:

• Groups that are member of another group:
  

This report lists the groups which share membership with other groups.

• Members of Administrators group:
  

This report lists the members of the Administrators group corresponding to a domain.

• Member of Domain Admins group:
  

This report lists the members of Domain Admins group corresponding to the domain.

• Members of Enterprise Admins group:
  

This report lists the members of Enterprise Admins group corresponding to the domain.

• List of Managed Groups:
  

List of Managed Groups report lists the details of groups having managers.

• List of Unmanaged Groups:
  

List of Unmanaged Groups report gives information on the groups without managers.

• Groups that are not a member of any other Group:
  

Groups that are not a member of any other Group reports details of groups that does not share a membership with any other group within the domain.

• Nested Groups that form a loop:
  

This report displays information about Nested groups corresponding to a domain that end up forming a loop.

• Nested Groups:
  

Nested Groups report lists information about Nested Groups within a domain.

Insight Reports->Groups: The Insight report is a powerful feature to report summarized and detailed information about the AD objects. These reports are based on numbers i.e. frequency of occurrence corresponding to objects’ attributes. Insight reports also can be customized by specifying values against certain parameters for each report to generate a custom view of the report. The reports enable administrators to gain meaningful insights on Active Directory infrastructure.

Consider a situation where the administrators wishes to take stock of the entire domain and list groups which have less than the specified number of members. Enumerating the groups and monitoring their membership details manually would prove a daunting task for the administrators. Let’s see how ARKAD reports the details of groups with lesser members.

Screenshot of Built-in reports-Report Selection:

The above screenshot shows the report, “Groups that have less than N members” being selected from the list of Built-in reports.(Built-In reports–>Built-In Object reports–>Groups–>Groups that have less than N members).

Screenshot of specifying report parameters:

The value corresponding to the report parameters is specified. Group with less than five members would be reported.

Screenshot of Field selection:

The above screenshot shows the list of Available Fields and the Selected Fields corresponding to the report. The fields that are to be reported can be customized to generate meaningful information across the desired fields. The arrangement of the fields within the report can also be customized to make it easy for the administrators to access critical information.

Screenshot of Domain Controller Selection:

The above screenshot allows the user to specify the ‘Domain Controller Name’ corresponding to which the details of groups are to be listed.

Screenshot of Groups that have less than N members:

The above screenshot shows the list of groups within the domain having less than 5 members. The report can also be customized through the Quick Filter and Advanced Filter options wherein logical conditions can be applied to the reported information to give a custom view.

Admin Report Kit for Active Directory (ARKAD) with its cutting edge Group reports allows administrators to monitor and manage Groups better in an Active Directory topology and makes management reporting easy.

For a 15 day free trial, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm .

Our much anticipated major release of Admin Report Kit for Active Directory (ARKAD) version 6.2 is finally here with the following new features included,

1. AD Summary Reports: ARKAD now comes up with the ability to report object-specific significant information in a powerful summarized view. AD Summary reports displays summarized vital information about Domains, Organizational Units, Computer Accounts and groups.
2. Quick Reports: Quick reports allow the users to restrict the scope of reports to include only specific entities within the domain and generate meaningful information faster. This saves the users from the time involved in scanning the entire domain to retrieve information about specific objects. This is especially useful for oft repeated administrative tasks.
3. ARKAD now allows the user to schedule reports by e-mail. The reports can be scheduled to later hours to reduce the operational load and can be automatically mailed across to the desired recipients.
4. Custom Queries: With ARKAD, it is now possible for users to create their own reports. Custom Queries feature within the Quick reports allow the user to create a custom report by defining logical queries and generating the reports within the ARKAD framework. A custom query can be used to extract information from various containers across the directory.
5. Additional user attributes such as Employee ID, Employee Number, Department Number, Division, Car License etc. can be now retrieved using ARKAD. This additional information better qualifies the users associated with the directory.
6. Computers’ last logon date and time: ARKAD retrieves the last logon date and time of a computer specific to domain controllers within a domain and reports the most recent value as the computer’s last logon date and time.
7. ARKAD now reports the list of nested groups and nested groups that form a loop. (Quick reports->List of nested groups that form a loop).

Admin Report Kit for Active Directory (ARKAD) with its above features could very well be indispensable for any Active Directory infrastructure.

For further information on ARKAD, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

Last-Logon attribute is one of the non-replicated attributes in Active Directory Domain Services, which means that each domain controller in a domain holds its own copy of the attribute, likely with different values. Similarly each Domain Controller in a domain stores different values as computers’ Last-Logon date and time. To access the latest logon time of a computer, we need to visit each domain controller and their corresponding attributes manually.

 Our Admin Report Kit for Active Directory retrieves the last Logon attribute from all Domain Controllers in a domain and delivers the most recent time a computer has logged onto the domain.

 The following image shows the last logon value of the computer,’RD55′ corresponding to RD48.Spacenet.local Domain controller.

 The following image shows the last logon value of the computer ‘RD55′ corresponding to RD45.Spacenet.local Domain controller.

The following image shows the most recent Log on date and time of RD55.  ARKAD enumerates last logon values from all the Domain Controllers in a domain and retrieves the most recent value among all the DC’s.

NTFS Permissions reports on Files, Folders and Shares using Admin Report Kit for Windows Enterprise.

There are several powerful features available in Admin Report Kit for Windows Enterprise to generate reports on NTFS permissions on files and folders residing in servers and workstations across multiple domains in the network. All reports may be scheduled and generated for multiple computers, users, and groups for multiple domains as a batch job.

The Permissions Reports section under the built-in reports feature (out-of-the-box reports) includes specific reports that report exclusively on reporting the access permissions assigned to users and groups on files, folders and shares. Our NTFS permissions reporting tool has several flavors of reports designed specifically for the administrator’s convenience. The following questions can be easily answered using these multi-dimensional reports:
1. Given a selected set of Users and Groups, which files and folders do they have access to across computers in a domain?
2. Given a selected set of files, folders and shares across computers, which users and groups have access to these?
3. Which users have inherited access permissions by virtue of their group membership (even though they may not have been granted explicit permissions)?
4. What permissions have been assigned to users both explicit and inherited through nested groups? One single report showing both.
5. What are the net effective permissions for users and groups on a set of folders?
6. How are nested groups affecting NTFS permissions on files and folders?

Here is a walkthrough of how to generate NTFS Permissions Reports using Admin Report Kit for Windows Enterprise (ARKWE):

Click on the Permissions Reports menu item under the Built-in Reports button in the toolbar.

The following NTFS Permissions Reports are available:

List of permissions for specific users and groups on folders
Reports the folder permissions assigned to specific users and/or groups on a selected set of folders.

List of permissions for folders
Reports the permissions associated with a selected set of folders.

List of permissions for specific users and groups on files
Reports the files permissions assigned to specific users and/or groups under a selected set of folders.

List of permissions for files
Reports the permissions associated with files under a selected set of folders.

List of all permissions for folders (Inherit & Explicit)
Reports the permissions for users assigned in the folders directly and inherited by means of nested groups.

List of effective permissions for users and groups on folders
Reports the effective permissions for users and groups for a set of folders.

List of effective permissions for users and groups on files
Reports the effective permissions for users and groups for files available in a set of folders.

Apart from the above out-of-the-box NTFS Permissions Reports, several standard customizable reports on various share and folder resources are available. These may be customized and scheduled as batch jobs for multiple computers and domains.

Please click on the following to download and evaluate the above features in Admin Report Kit for Windows Enterprise.
http://www.vyapin.com/products/windows-audit/windows-reports.htm

Consider the following scenario:

There are two domains in a forest with different namespaces namely SPACENET (SPACENET.local) and OtherDomain (OtherDomain.local). Let us assume that SPACENET is the domain that needs to access resources in OtherDomain. In order to allow domain users from SPACENET to access resources in the domain OtherDomain, we need to add SPACENET’s users as members in the ‘domain local group’ of
OtherDomain.

If any user from the SPACENET domain is a member of ‘domain local group’ of OtherDomain (within the same forest), then the ‘Member Of’ tab for that user will not show that he is a member of ‘domain local group’ of OtherDomain. So, if you would like to know the ‘member of’ details of a particular User in a domain, a comprehensive listing should show all groups the User is a member of, including those groups in other domains that the user is a member of. 

Please see following figures to understand this better.

Active Directory Users and Computers for

‘OtherDomain.local’

Active Directory Users and Computers for ‘SPACENET.local’

If an administrator wants the ‘Member of’ details for users for the entire forest, he needs to view each group’s ‘Members tab’ in the AD console to see whether the specified user is a member of this group. The administrator needs to repeat this step for all domains and all groups in those domains.
 
So, How does ARKAD help show Users ‘Member of’ details for all domains in a forest in a single report view?
 
With the help of Admin Report Kit for Active Directory (ARKAD) you can view the users ‘Member Of’ details for an entire forest. The following image depicts the report generated by ARKAD for the above scenario.

A user may be assigned to multiple groups in an Active Directory organization. A group member may have membership in other groups in the same domain (or) in a different domain within the same forest (or) in a different domain in a different forest.

An in-depth user/group membership report must include all the groups that a user is member of across the entire AD organization (and not just the groups within one domain).

In a multiple forest environment, When we add a member from one domain to a group in another domain (from a trusted domain outside of that forest) , Active Directory automatically creates a special object called a foreign security principal (FSP) in the CN=ForeignSecurityPrincipals container in the domain NC.

Active Directory creates a foreign security principal object in a forest when objects from its trusted external forest are assigned group membership and security for trusting the forest’s objects. The users and groups of the external forest are represented by foreign security principals in the trusting forest and is necessary for them to access domain resources that exist in that forest. When a trust is established between domains across forests, these foreign security principals can become members of ‘domain local groups’ in the source domain.

In order to generate a report on all user memberships, you need a tool that runs through all user memberships across domains and if there are multiple forests with FSPs, then the membership across forests will have to be generated. For example, a complete membership listing of a User A, who is present in multiple domains across multiple forests, will show all groups that User A is a member of (including Domain Local Groups).

Vyapin’s Admin Report Kit for Active Directory (ARKAD) generates such complex user/group membership reports.

How to view all security principals in all domains within a single forest in ARKAD? (A security principal can be a user, group, service, or Computer). The Forest Reports feature in ARKAD allows the user to generate reports across domains in a forest. (Select ‘Forest Reports…’ under New Report button in the tool bar. The Forest Reports window with the list of reports will be displayed; Select a report from the list of reports. Click Next to proceed to the next steps).

One of the headaches in finding out the NTFS permissions on files and folders is determining the effective permissions. Files and folders may have permissions explicitly set on them for users and groups and also have implicit/inherited permissions (e.g. users having access or deny to a folder by virtue of  their membership in a group or a nested group). Determining the effective permissions is a complex coding task, especially when you take into account the local and other built-in groups.

We have now included this feature in our Admin Report Kit for Windows Enterprise (ARKWE) and this is scheduled for release in a week or so. This has been a long awaited feature for many of our customers and prospects and I am glad that we have addressed it in the upcoming release.

The needs of Systems Management reporting can be broadly classifed into:

1. Compliance Reporting (for internal compliance as well as statutory compliance needs such as HIPPA, SOX etc.)

2. Management Reporting (for delivering the reports that management needs - Mainly in the form of Summary reports without getting into the details)

3. Administrative Reporting (for day-to-day administrative tasks of managing the Systems infrastructure).

Active Directory Reporting is one of the components of Systems Management reporting and is a must for all the three cateogories in any mid-size to large-sized organization.The following are some of the most essential elements in AD reporting for the needs stated above.

A short note about our Admin Report Kit for Active Directory (ARKAD). This product of ours has evolved over time and has essentially become a single solution for  Administrative reporting, Management reporting and Compliance reporting such as SOX and HIPAA.

The latest version includes a broad range of built-in reports that pretty much cover everything a company needs for all aspects of AD reporting. One of the outstanding feature of the product is the ability to let users customize the report fields and formats in a variety of ways. All the built-in reports may be filtered (to reduce the size of the report), customized (to get the required fields in a certain order and format) and the settings may be saved for repeated use in the future.

Another outstanding set of reports in ARKAD are the Forest Reports. The Forest Reports lets you take reports for your entire organization by letting you run these reports across multiple domains in a forest. For example, one great use of the Forest report feature is to check users who are members of groups in other domains. A user in domain X may be a member of a group in domain Y. ARKAD generates a list of all such users who have cross group-membership across domains in a forest. This is very useful in tracking down users and their groups in complex multi-domain AD deployment.