Vyapin Blogs

Our much anticipated major release of Admin Report Kit for Active Directory (ARKAD) version 6.2 is finally here with the following new features included,

1. AD Summary Reports: ARKAD now comes up with the ability to report object-specific significant information in a powerful summarized view. AD Summary reports displays summarized vital information about Domains, Organizational Units, Computer Accounts and groups.
2. Quick Reports: Quick reports allow the users to restrict the scope of reports to include only specific entities within the domain and generate meaningful information faster. This saves the users from the time involved in scanning the entire domain to retrieve information about specific objects. This is especially useful for oft repeated administrative tasks.
3. ARKAD now allows the user to schedule reports by e-mail. The reports can be scheduled to later hours to reduce the operational load and can be automatically mailed across to the desired recipients.
4. Custom Queries: With ARKAD, it is now possible for users to create their own reports. Custom Queries feature within the Quick reports allow the user to create a custom report by defining logical queries and generating the reports within the ARKAD framework. A custom query can be used to extract information from various containers across the directory.
5. Additional user attributes such as Employee ID, Employee Number, Department Number, Division, Car License etc. can be now retrieved using ARKAD. This additional information better qualifies the users associated with the directory.
6. Computers’ last logon date and time: ARKAD retrieves the last logon date and time of a computer specific to domain controllers within a domain and reports the most recent value as the computer’s last logon date and time.
7. ARKAD now reports the list of nested groups and nested groups that form a loop. (Quick reports->List of nested groups that form a loop).

Admin Report Kit for Active Directory (ARKAD) with its above features could very well be indispensable for any Active Directory infrastructure.

For further information on ARKAD, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

Forests are at the top of the Active Directory hierarchy. Forests comprise within themselves one or more domain trees (independent or interdependent) administered by a common schema. Usually a networking infrastructure contains in it a Forest at the top level. The objects within the Forests are controlled by the Forest Root Domain, created initially when the Active Directory is installed for the first time. With companies operating across geographies, the Active Directory has expanded rapidly resulting in the Forests’ topology becoming increasingly complex. To administer an Active Directory infrastructure with multiple forests spread across geographies is no easy task. Imagine the volume of data that would be generated or the number of individual entities that have to be looked at.

Admin Report Kit for Active Directory (ARKAD) has in it numerous out-of-the-box reports that present a bird’s eye view of the Active Directory topology at a Forest Level. Through these reports ARKAD allows administrators to generate reports across multiple domains and take stock of the entire forest.

Domain Reports at a Forest level gives information about the various properties of domains within a forest. The domain controllers within the respective domains and the trust relationships (trusting or trusted) prevailing between them are also reported. The administrator corresponding to each domain, their permissions and the security settings are some of the other significant information reported at a forest level. Auditing information corresponding to the changes made within the domain can be viewed under ‘Auditing’ report. The Group Policy report gives information about the group policies that are applicable to the corresponding domains. The ‘Delegated Permissions’ report gives an insight on the users with their delegated tasks within the domain.

Site Reports at a Forest level provides configuration settings corresponding to sites within a forest. The location of the sites and their created and modified dates are reported in the ‘Location’ and ‘Object’ reports respectively. The ‘Security’ and ‘Auditing’ reports give information about the permissions associated with the sites and their auditing information respectively. The Group Policy Objects linked to the corresponding sites is reported in the ‘Group Policy’ report. The ‘Delegated Permissions’ reports users with delegated tasks within the sites.

Forest Level Group Reports provide information about various group settings corresponding to groups within a forest. Information about the members within the groups and the membership details of groups themselves are reported in ‘Member’ and ‘Member Of’ reports corresponding to the Forest. The created date and modified date values and details of the administrators managing the groups are also displayed. The Permissions associated with the members of the group and the auditing information are other relevant information reported. The ‘Deleted Object’ report displays information on the groups recently deleted.

Forest Level User reports enumerate the Users and their account information associated with the domains within a forest. The User display names, address, account details, profile path, telephone numbers, organization and position related details are effectively reported. The users’ membership details are also reported. Created Date and Modified date field values are displayed. The Permissions granted, their type along with the auditing information is retrieved in the ‘Security’ and ‘Permissions’ reports. The Last logon date of the corresponding user account and other relevant information such as Password Last Set date, Password expiration date etc. are reported in the ‘Additional Account Info’ report. The Password Settings Objects policies (applicable to Windows 2008 Domain Controllers) defined for users within the forest and the precedence level of such policies can be viewed under ‘Effective PSO (Win 2008)’. The deleted user accounts within the forest are reported under ‘Deleted Objects’ report.

Contact reports are similar to the User reports and display information about the Contacts corresponding to the forest. The Contact information such as display names, address, telephone numbers, organization and position held are some of the relevant information reported. The Membership details of contacts are also reported. The Created Date and Modified date values are some of the other significant information reported in ‘Object’ report. The Permissions defined against the Contacts and the auditing information are displayed under ‘Security’ and ‘Auditing’ reports. The information about deleted contacts and their last known parent are reported in ‘Deleted Objects’ report.

Group Policy Objects reports display information about the various Grouped Policy Objects within the forest. The details of Group Policy Objects linked with various objects within the forest are reported under ‘Links’ report. The objects that are connected to various GPOs and the corresponding details are reported in the ‘SOM Links’ report. The Security settings corresponding to each object, auditing information associated and related comments are retrieved for the administrator through the ‘Security Filtering’, ‘Security’ and ‘Auditing’ reports. ‘Deleted Objects’ reports deleted Group Policy Object corresponding to the forest.

Consider an example where the administrator wishes to generate a report on Trust relationships across various domains within a forest. Generating this report manually would be a cumbersome process.

Lets see how ARKAD does this with considerable ease. The following screenshot shows the Trust Relationship across domains within a forest

ARKAD with its out-of-the-box forests reports addresses administrators’ reporting needs with considerable finesse.

For a 15-day free evaluation visit our product home page at <http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

NTFS Permissions reports on Files, Folders and Shares using Admin Report Kit for Windows Enterprise.

There are several powerful features available in Admin Report Kit for Windows Enterprise to generate reports on NTFS permissions on files and folders residing in servers and workstations across multiple domains in the network. All reports may be scheduled and generated for multiple computers, users, and groups for multiple domains as a batch job.

The Permissions Reports section under the built-in reports feature (out-of-the-box reports) includes specific reports that report exclusively on reporting the access permissions assigned to users and groups on files, folders and shares. Our NTFS permissions reporting tool has several flavors of reports designed specifically for the administrator’s convenience. The following questions can be easily answered using these multi-dimensional reports:
1. Given a selected set of Users and Groups, which files and folders do they have access to across computers in a domain?
2. Given a selected set of files, folders and shares across computers, which users and groups have access to these?
3. Which users have inherited access permissions by virtue of their group membership (even though they may not have been granted explicit permissions)?
4. What permissions have been assigned to users both explicit and inherited through nested groups? One single report showing both.
5. What are the net effective permissions for users and groups on a set of folders?
6. How are nested groups affecting NTFS permissions on files and folders?

Here is a walkthrough of how to generate NTFS Permissions Reports using Admin Report Kit for Windows Enterprise (ARKWE):

Click on the Permissions Reports menu item under the Built-in Reports button in the toolbar.

The following NTFS Permissions Reports are available:

List of permissions for specific users and groups on folders
Reports the folder permissions assigned to specific users and/or groups on a selected set of folders.

List of permissions for folders
Reports the permissions associated with a selected set of folders.

List of permissions for specific users and groups on files
Reports the files permissions assigned to specific users and/or groups under a selected set of folders.

List of permissions for files
Reports the permissions associated with files under a selected set of folders.

List of all permissions for folders (Inherit & Explicit)
Reports the permissions for users assigned in the folders directly and inherited by means of nested groups.

List of effective permissions for users and groups on folders
Reports the effective permissions for users and groups for a set of folders.

List of effective permissions for users and groups on files
Reports the effective permissions for users and groups for files available in a set of folders.

Apart from the above out-of-the-box NTFS Permissions Reports, several standard customizable reports on various share and folder resources are available. These may be customized and scheduled as batch jobs for multiple computers and domains.

Please click on the following to download and evaluate the above features in Admin Report Kit for Windows Enterprise.
http://www.vyapin.com/products/windows-audit/windows-reports.htm

A user may be assigned to multiple groups in an Active Directory organization. A group member may have membership in other groups in the same domain (or) in a different domain within the same forest (or) in a different domain in a different forest.

An in-depth user/group membership report must include all the groups that a user is member of across the entire AD organization (and not just the groups within one domain).

In a multiple forest environment, When we add a member from one domain to a group in another domain (from a trusted domain outside of that forest) , Active Directory automatically creates a special object called a foreign security principal (FSP) in the CN=ForeignSecurityPrincipals container in the domain NC.

Active Directory creates a foreign security principal object in a forest when objects from its trusted external forest are assigned group membership and security for trusting the forest’s objects. The users and groups of the external forest are represented by foreign security principals in the trusting forest and is necessary for them to access domain resources that exist in that forest. When a trust is established between domains across forests, these foreign security principals can become members of ‘domain local groups’ in the source domain.

In order to generate a report on all user memberships, you need a tool that runs through all user memberships across domains and if there are multiple forests with FSPs, then the membership across forests will have to be generated. For example, a complete membership listing of a User A, who is present in multiple domains across multiple forests, will show all groups that User A is a member of (including Domain Local Groups).

Vyapin’s Admin Report Kit for Active Directory (ARKAD) generates such complex user/group membership reports.

How to view all security principals in all domains within a single forest in ARKAD? (A security principal can be a user, group, service, or Computer). The Forest Reports feature in ARKAD allows the user to generate reports across domains in a forest. (Select ‘Forest Reports…’ under New Report button in the tool bar. The Forest Reports window with the list of reports will be displayed; Select a report from the list of reports. Click Next to proceed to the next steps).

One of the headaches in finding out the NTFS permissions on files and folders is determining the effective permissions. Files and folders may have permissions explicitly set on them for users and groups and also have implicit/inherited permissions (e.g. users having access or deny to a folder by virtue of  their membership in a group or a nested group). Determining the effective permissions is a complex coding task, especially when you take into account the local and other built-in groups.

We have now included this feature in our Admin Report Kit for Windows Enterprise (ARKWE) and this is scheduled for release in a week or so. This has been a long awaited feature for many of our customers and prospects and I am glad that we have addressed it in the upcoming release.

The needs of Systems Management reporting can be broadly classifed into:

1. Compliance Reporting (for internal compliance as well as statutory compliance needs such as HIPPA, SOX etc.)

2. Management Reporting (for delivering the reports that management needs - Mainly in the form of Summary reports without getting into the details)

3. Administrative Reporting (for day-to-day administrative tasks of managing the Systems infrastructure).

Active Directory Reporting is one of the components of Systems Management reporting and is a must for all the three cateogories in any mid-size to large-sized organization.The following are some of the most essential elements in AD reporting for the needs stated above.