Generating complex Active Directory Reports just got easier for your Active Directory Auditing and Reporting needs. All you need is Vyapin’s powerful Active Directory reporting solution ARK for Active Directory (ARKAD) for the Microsoft Active Directory Enterprise.
Why ARK for Active Directory?
A partial list of important reports
What's New in ?
New Compare Reports feature that allows the user to compare reports generated using ARKAD. You can select two HTML, XLSX and CSV formatted reports generated in a different time period for which you want to find the difference between them.
Provides more than 100 AD reports out-of-the-box to retrieve useful, frequently accessed information across Active Directory.
Gather insights into how your AD is functioning
Active Directory Search
The Power Search tool allows the user to search on (A) specific security permission(s) assigned to Active Directory objects and (B) specific attributes on Accounts. The features cover every security permission and Account attribute defined in the domain controller's schema.
Powerful search feature to sift through domain controller based on ACE or AD attributes
LDAP Reports (Custom LDAP Queries)
Allows the user to create their own Quick Reports to search only the specified domain partition, and searches can be narrowed down to a single container/OU object. Users can also specify their own LDAP queries.
Monitor specific AD objects through custom queries
Create your own reports with custom selected fields and report criteria.
Create custom AD reports with specific report fields and data filters of your choice
Active Directory Summary Reports
Provides overall count information along with sub-totals on various objects in an Active Directory Domain like Total no of Users, Computers, Groups, OUs in a Domain / Organizational Unit(s), Total no of computers running in Windows 7 etc.
Summary information about your AD infrastructure
Insight AD reports
Reports the Summary and Detailed information based on "frequency of occurrence (Counts)".
Summary and detailed information about AD
Quick AD Reports
Allows you to extract specific targeted information very quickly from an Active Directory Domain and you can also create your own custom queries. Useful for quick and repeated use.
Gather specific details on AD Objects quickly
Allows you to quickly filter data based on search strings and dates. Wildcard characters may be applied. For example, all rows of data pertaining to “Administrators” may be filtered by a simple string filter “*admin*” across all fields or a single field. A simple string filter using “Full Control” as the search string will display all objects having “Full Control” permission.
Filter data of your choice using the query interface
Allows the user to select columns to display, perform advanced query based filtering using Field names and their values and Save the filter configuration for future use. Selecting and applying a saved filter will apply the filter and directly produce the desired subset of data.
Create search queries with multiple parameters for in-depth search
A simple string-based Find operation highlights all cells containing the string. Especially useful in determining string occurrences and their frequencies with respect to the entire displayed set of data. For example, highlight all users having “Full Control” permission in the displayed list of users and their permissions.
Enter a string to search in the report
Schedule and Export Reports using the Power Export Wizard
Flexible Export feature to export reports from ARKAD to reports to HTML / CSV / XLSX file format. Reports may be scheduled for export at different intervals of time – daily, monthly, weekly etc.
Export the reports to multiple file formats and schedule the reports to run at periodic intervals
Automatically send reports through e-mail
E-mail reports to various users in the organization.
Email reports to designated users
Allows the user to compare the reports generated using ARKAD and reports the difference between them.
Compare reports generated by ARKAD to track changes to various AD objects
ARKAD, by default, uses the currently logged on user context to connect to a domain. If ARKAD could not connect to a domain using the currently logged on user context, a ‘Connect As’ dialog would appear on the screen allowing the user to enter user credentials to connect to the domain. ARKAD then establishes a session with the destination domain, using the user credentials specified.
For connecting to an Active Directory server using ARKAD you need to be an authenticated user to the target domain. For generating RSoP reports you must be either an administrator of the target domain or a member of local administrators group in the target AD server. For generating reports for Group Policy Objects and WMI Filters the currently logged on user context, under which the application is running, must be an authenticated user to the target domain. For generating reports for Group Policy Objects and WMI Filters, ARKAD requires GPMC to be installed (GPMC v1.0.2 requires .NET Framework v1.1) on the local computer where ARKAD is running. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters GPMC is not required and you only need to be an authenticated user to the target domain.
ARKAD uses standard ADSI components for collecting Active Directory domain data. ARKAD uses the Computer Browser service to prepare the domain list at application startup. This domain list can be refreshed at any point of time during application run. For generating RSoP reports, ARKAD requires WMI to be installed on both the computer on which ARKAD is running and the target computer. Furthermore, RSoP reports can be generated only for Domain Controllers running Windows Server 2003. For generating reports for Group Policy Objects and WMI Filters ARKAD requires GPMC to be installed on the local computer where ARKAD is running. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters, GPMC is not required. For generating Security reports, ARKAD also establishes a session to the target computer at the time of generating the reports.
The currently logged on user or the specified user credentials must be an authenticated user to the target domain to generate reports in ARKAD. For RSoP reports, the currently logged on user or the specified user credentials must be an Administrator of the target domain. For generating reports for Group Policy Objects and WMI Filters the currently logged on user context, under which the application is running, must be an authenticated user to the target domain. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters the currently logged on user or specified user must be an authenticated user to the target domain.
ARKAD stores the data in the application database once it gathers the data for the selected domain for the first time. ARKAD displays data from the local data store until the data is refreshed.
To refresh data, click ‘Refresh Data’ from the menu (View->Refresh Data) or toolbar. Alternatively, you can right-click on the grid, in the right pane of the report window, and then select ‘Refresh Data’ from the context menu.
For retrieving domain information, ARKAD creates schedule tasks in Windows Task Scheduler. Based on the settings provided in the Power Export Wizard, the task will run under the specified user account context and retrieve domain information at specified intervals.
You can use the Power Export feature in ARKAD to generate multiple reports for a domain at scheduled intervals. Currently ARKAD does not have the feature to compare the exported reports generated at different times. However, there are many free and commercial third-party utilities that allow you to compare text files, including formats such as CSV, XML etc.
ARKAD prepares the list of domains at application startup. The following settings are required for this operation to be successful:
Note: The aforesaid settings are required only if you intend to select a domain and a corresponding domain controller from the drop-down list.
On the other hand, if no DCs were up and running in a domain, at application startup, then that domain would not show up in the domains drop-down list. To view the missing domains, click Refresh button.
This message appears when you do not have access to the requested data or the data may be unavailable in the destination domain. Ensure that the current user context has sufficient privileges to read the requested information from the domain.
ARKAD allows to customize report views using 'Advanced Filters'. 'Advance Filters' maintains the fields displayed in a report. Check whether the filter status (displayed in the report status strip just above the view grid) shows 'Filter:Applied'. If so, you may have applied an advanced filter and selected the fields to display for the report. To view all the fields either remove the filter applied or edit the advanced filter to include all fields of the report.
You may not be able to see the entire data for a report:
An ‘Advanced Filter’, when applied, shows only the data that matches the specified filter condition. Check whether the filter status, in the report status strip just above the grid, shows ‘Filter: Applied’. If so, you may have applied an advanced filter and provided the filter conditions for displaying the report data. To view all the data remove the filter that had been applied to the report.
Also, you have the provision to cancel the data collection when collecting report data. So, check whether the report status strip just above the grid shows ‘Status: Canceled’. If so, you may have canceled the data collection. To view all the data click on the tab to collect the data again.
On some occasions you may not see the "Connect As" dialog appear on the screen. For instance, while connecting to a Domain Controller running Windows 2000 Advanced Server (SP4), from a member running Windows XP, you may not see the "Connect As" dialog appear, and eventually you would see no data in the generated report.
However, in such cases, you would you be able to generate the following reports against that domain:
But, all RSoP reports would throw "Access is denied" error.
ARKAD, by default, uses the currently logged on user context to connect to a domain. If an error occurs during the bind operation, ARKAD shows the "Connect As" dialog to get alternate credentials. However, if the bind operation were successful, you would not see the "Connect As" dialog.
Furthermore, you would get "No Data Available" for some reports, either when there were no objects found in the directory or when the objects could not be enumerated. No objects would be enumerated if the currently logged on user account is denied the read permission on objects. Also, you would get "No Data Available" when the current user account is not visible to the target domain.
Moreover, we have found that this behavior occurs when binding to a domain running Windows 2000 Advanced Server (SP4). Since the bind operation to the domain was successful, you would be able to generate some but not all domain reports.
You can view group membership information by running "Members" report for "Groups" object. The members of each group would be listed against the corresponding group in this report. Groups that have no members have an empty value against them in the members column in the report.
If you want to view only those groups that have no members, you need to use the advanced filter tool to eliminate the groups from the report that have members. To do so, you need to create an advanced filter with a filter condition that reads [Members] = ''. The empty quotation marks beside the equal sign instructs the filter tool to show only those groups that have no members.
However, please note that you cannot use Quick Filter tool to achieve this. Only the advanced filter is capable of reporting empty values.
The "Members" report of "Organizational Units" object lists all OUs and their corresponding members. The members report of organizational units object also shows the type of each member in the "Member Type" column in the report. Using this "Member Type" column you can get a narrow subset of members-list based on a specific object type.
For instance, if you want to view only users and computers present in each OU, you can create an advanced filter with a filter condition that reads [Member Type] = 'User' OR [Member Type] = 'Computer'.
However, if you are interested in viewing only a single "Member Type", you could use the Quick Filter to speed up the process. Just select the field, or leave "Any Field" which is the default, from the fields drop down and type in User, without quotations, in the edit box and hit "Go". Please note that you cannot use logical operators in the Quick Filter tool. Unlike Advanced Filter tool, you can use "*" and "?" wild card characters in Quick Filter.
The "Security" report allows you to view the permissions, both standard and extended, set on an object. Except for RSoP, the security report is available for all objects that ARKAD reports on. Since ARKAD reports both standard and extended set of permissions, the security report runs into hundreds and thousands of records. This is where the Filter tool comes in handy to figure out which users and/or groups were assigned a specific set of permission(s).
For instance, if you want to view all users and/or groups that have been assigned "Full Control" permission, you can create an advanced filter with a filter condition that reads [Permissions] = 'Full Control'.
Alternatively, you can use Quick Filter if you are looking for a specific permission, Full Control, as in this case. Just select the field, or leave "Any Field" which is the default, from the fields drop down and type in Full Control, without quotations, in the edit box and hit "Go".
You can view the Account Options of users in the "Account" report of "Users" object. The Account report, reports all of the account options available for a user object as displayed in AD MMC. You can view among others, the disabled, locked and expired user accounts in the Account report.
Since the Account report encompasses all the account options, you can generate meaningful reports with a subset of information derived from this report. For instance, you can create a report that lists all users whose password never expires and all user accounts that never expire. You can use the Advanced Filter tool to achieve this. To do so, create an advanced filter with a filter condition that reads [Password never expires] = 'True' AND [Account expires] = 'False'.
Alternatively, you can use Quick Filter to filter data based on a single account option. For instance, to view all user accounts that expire, just select [Account expires] field, from the fields drop down and type in False in the edit box and hit "Go".
The last logon date and time of users is available in the "Additional Account Info" report of users object. ARKAD calculates the last logon date and time by adding the local time zone information. Please note that this time zone information is retrieved from the local computer on which ARKAD is run.
Also, last logon value for a user can be unavailable if it is not set in the directory. In that case, ARKAD will display empty value in the corresponding field in the report for that user. You may also see last logon displayed as empty value when the current or specified user context does not have sufficient privileges to read the attribute from the directory.
In ARKAD, you can view delegated permissions for Site, Domain and an Organizational Unit in the "Delegated Permissions" report of the respective object. The delegated permissions report displays the tasks that had been delegated using the Delegation of Control Wizard and also the tasks that had been delegated manually.
Using the information displayed you can create meaningful reports using either Quick Filter or Advanced Filter tool. For instance, you can use Quick Filter, if you want to view all tasks that had been delegated to a specific account. To do so, either select "Name" field or leave "Any Field", selected by default, type in the desired group name, and then hit "Go". This will show up all tasks that had been delegated to the specified group. Alternatively, you can type in a portion of the group's name and use "*" or "?" wild card characters as place holders.
However, if you want to specify a complex filter condition, you need to create an advanced filter. For instance, if you want to view all accounts that have been delegated the tasks "Manage Group Policy links" and "Create, delete, and manage user accounts", you need to create an advanced filter with a filter condition that reads [Delegated Task] = 'Create, delete, and manage user accounts' OR [Delegated Task] = 'Manage Group Policy links'.
You can view the list of GPOs and their respective links to various objects (Domains, OUs and Sites) in the "Links" report for "Group Policy Objects". This report gives you a consolidated report of what GPOs are linked to what objects and also aids you in determining what GPOs are not linked to any object. The "Links" report shows the type of object to which each GPO is linked in "Linked Object Type" column along with settings of the link such as Enforced, and Link Enabled. This report also shows the path of the object to which a GPO is linked in addition and whether the policy inheritance has been blocked on the linked object.
Alternatively, you may also view GPOs linked to various SOMs (sites, domains, and OUs) in the "SOM Links" report for "Group Policy Objects". This report shows all sites in the forest, the domain, and all OUs with their respective GPO links. This report, by default, groups GPO links in SDOU order and, in addition, sorts the data on Link Order of each linked GPO.
You may also view the list of GPOs linked to the Domain Controller in "RSoP GPOs" report. The "RSoP GPOs" report shows among others, GUID, File system path, Enabled status and Version. Also, you can view the list of GPOs applied to the Domain Controller and their corresponding applied order, link order in "RSoP GPLinks" report. The RSoP GPLinks report also shows which GPOs which were inaccessible in the "Access Denied" column in the report.
Furthermore, you can view Group Policy information for Sites, Domains and Organizational Units in the "Group Policy" report of the respective object. The "Group Policy" report shows the various GPOs linked to the object in the "Group Policy Object Links" column and the corresponding settings namely, No override, Disabled, and Block policy inheritance.
You can narrow down the data displayed in the Group Policy reports using advanced filters. For instance, you may want to know which sites, domains and organizational units have "Block Policy Inheritance" set and which GPO links have "No Override" set. To do so, you need to create an advanced filter with a filter condition that reads [Block Policy Inheritance] = 'False' OR [No Override] = 'False'.
However, if you want to view only those GPO links that have been disabled, you can use Quick Filter to speed up the process. Select [Disabled] field from the fields drop down and type in True in the edit box and hit "Go".
This dialog will be shown when ARKAD is unable to connect using the credential specified during the creation of Power Search report. If the credential is not set to store in ARKAD's Profile Manager, the application will prompt for password while you try to run or edit a Power Search report.
You can view the privileges assigned to users and groups in "User Rights Assignment" report of RSoP. The "User Rights Assignment" report, displays the various privileges and the users and groups to which each privilege has been assigned and the source GPO that established this assignment.
You may want to know which users and groups have been allowed or denied a specific set of rights. To do so, you need to use filters. If you want to filter data based on a single right, you can use Quick Filter. For instance, if you want to view only those users and groups that have been denied the right to log on locally, just type in Deny log on locally in the edit box and hit "Go".
Alternatively, you can type in Deny* to view all the deny rights and the users and groups to whom the corresponding deny right has been assigned. Please note that you cannot use wild card characters like "*" and "?" in the advanced filter. However, if you want to specify a complex filter condition, you need to use advanced filters. For instance, if you want to view all users who have been allowed the right to log on locally, and the rights that have not been defined, you need to create an advanced filter with a filter condition that reads [Policy] = 'Allow log on locally' OR [Setting] = 'Not Defined'.
ARKAD generates an error log file in the application data path. The error log file tends to increase in size over a period of time especially if the application meets with frequent error conditions. The application does an "append" to the error log each time it runs. This is required for diagnostic purposes during troubleshooting. However, once the error log file reaches 512 KB, ARKAD creates a backup error log file called "ARKAD Backup ErrorLog.Log" in the application data path, and then truncates "ARKADErrorLog.Log" file.
You can evaluate both the Standard and Advanced Edition of ARKAD during the evaluation period. You may switch between the two editions using the switching button available in the main application window. In the evaluation period, there are no feature restrictions. You can test all the features available in ARKAD. The only restriction is that you can export / print / e-mail the first 10 records only. The evaluation period is 15 days.
Computer running ARKAD:
Supported Windows client platform
Supported Windows server platform
* It is highly recommended to have the latest service pack installed on Windows.