North America: +1 (646) 257-3449
Global: +91-44-2471 7142
Support Hours (M - F) : 9am - 8pm IST (GMT+5:30)
Current Time :  0:00:00 pm IST (GMT+5:30)
ARK for Active Directory
Home :: Products :: Active Directory :: ARK for Active Directory

ARK for Active Directory

8.7
DownloadRequest QuoteBuy Now

What does ARKAD report on?

ARKAD reports about the following: Organizational Units, Computer Accounts, Domains, Sites, Users, Groups, Contacts, RSop, Group Policy Objects and WMI Filters.

What user credentials does ARKAD use to connect to a domain?

ARKAD, by default, uses the currently logged on user context to connect to a domain. If ARKAD could not connect to a domain using the currently logged on user context, a ‘Connect As’ dialog would appear on the screen allowing the user to enter user credentials to connect to the domain. ARKAD then establishes a session with the destination domain, using the user credentials specified.

What credentials do I need for using ARKAD and connecting to a AD server?

For connecting to an Active Directory server using ARKAD you need to be an authenticated user to the target domain. For generating RSoP reports you must be either an administrator of the target domain or a member of local administrators group in the target AD server. For generating reports for Group Policy Objects and WMI Filters the currently logged on user context, under which the application is running, must be an authenticated user to the target domain. For generating reports for Group Policy Objects and WMI Filters, ARKAD requires GPMC to be installed (GPMC v1.0.2 requires .NET Framework v1.1) on the local computer where ARKAD is running. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters GPMC is not required and you only need to be an authenticated user to the target domain.

What mechanism does ARKAD use for collecting data?

ARKAD uses standard ADSI components for collecting Active Directory domain data. ARKAD uses the Computer Browser service to prepare the domain list at application startup. This domain list can be refreshed at any point of time during application run. For generating RSoP reports, ARKAD requires WMI to be installed on both the computer on which ARKAD is running and the target computer. Furthermore, RSoP reports can be generated only for Domain Controllers running Windows Server 2003. For generating reports for Group Policy Objects and WMI Filters ARKAD requires GPMC to be installed on the local computer where ARKAD is running. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters, GPMC is not required. For generating Security reports, ARKAD also establishes a session to the target computer at the time of generating the reports.

What permissions or privileges are required to generate reports against a Windows domain on the network?

The currently logged on user or the specified user credentials must be an authenticated user to the target domain to generate reports in ARKAD. For RSoP reports, the currently logged on user or the specified user credentials must be an Administrator of the target domain. For generating reports for Group Policy Objects and WMI Filters the currently logged on user context, under which the application is running, must be an authenticated user to the target domain. Please note, however, for generating Security, Auditing and Deleted Objects reports for Group Policy Objects and WMI Filters the currently logged on user or specified user must be an authenticated user to the target domain.

What Services and Settings does ARKAD require on a local or remote computer in order to collect data?

To generate reports for a domain, ensure the following settings are set appropriately for the following computers:

How do I refresh the data for the selected domain?

ARKAD stores the data in the application database once it gathers the data for the selected domain for the first time. ARKAD displays data from the local data store until the data is refreshed.

To refresh data, click ‘Refresh Data’ from the menu (View->Refresh Data) or toolbar. Alternatively, you can right-click on the grid, in the right pane of the report window, and then select ‘Refresh Data’ from the context menu.

I would like to take snapshots of all the reports at regular time intervals in order to record and track changes that happen over a period of time. How can I generate multiple reports for a domain at scheduled intervals?

You can use the Power Export feature in ARKAD to generate multiple reports for a domain at scheduled intervals. Currently ARKAD does not have the feature to compare the exported reports generated at different times. However, there are many free and commercial third-party utilities that allow you to compare text files, including formats such as CSV, XML etc.

I am unable to find domains in the domain selection dialog.

ARKAD prepares the list of domains at application startup. The following settings are required for this operation to be successful:

Note: The aforesaid settings are required only if you intend to select a domain and a corresponding domain controller from the drop-down list.

On the other hand, if no DCs were up and running in a domain, at application startup, then that domain would not show up in the domains drop-down list. To view the missing domains, click Refresh button.

Why do I get the message "Unable to collect ..."?

This message appears when you do not have access to the requested data or the data may be unavailable in the destination domain. Ensure that the current user context has sufficient privileges to read the requested information from the domain.

Why am I unable to view all the fields in a report?

ARKAD allows to customize report views using 'Advanced Filters'. 'Advance Filters' maintains the fields displayed in a report. Check whether the filter status (displayed in the report status strip just above the view grid) shows 'Filter:Applied'. If so, you may have applied an advanced filter and selected the fields to display for the report. To view all the fields either remove the filter applied or edit the advanced filter to include all fields of the report.

Why am I unable to view all the data for the selected report?

You may not be able to see the entire data for a report:

An ‘Advanced Filter’, when applied, shows only the data that matches the specified filter condition. Check whether the filter status, in the report status strip just above the grid, shows ‘Filter: Applied’. If so, you may have applied an advanced filter and provided the filter conditions for displaying the report data. To view all the data remove the filter that had been applied to the report.

Also, you have the provision to cancel the data collection when collecting report data. So, check whether the report status strip just above the grid shows ‘Status: Canceled’. If so, you may have canceled the data collection. To view all the data click on the tab to collect the data again.

Can I generate RSoP reports for all computers?

No, currently RSop reports can be generated against the selected Domain Controller only. Furthermore, RSop reports can be generated for Domain Controllers running Windows Server 2003 and later.

I did not see the ‘Connect As’ dialog appear and I get "No Data Available" for some reports for the selected domain?

On some occasions you may not see the "Connect As" dialog appear on the screen. For instance, while connecting to a Domain Controller running Windows 2000 Advanced Server (SP4), from a member running Windows XP, you may not see the "Connect As" dialog appear, and eventually you would see no data in the generated report.

However, in such cases, you would you be able to generate the following reports against that domain:

But, all RSoP reports would throw "Access is denied" error.

ARKAD, by default, uses the currently logged on user context to connect to a domain. If an error occurs during the bind operation, ARKAD shows the "Connect As" dialog to get alternate credentials. However, if the bind operation were successful, you would not see the "Connect As" dialog.

Furthermore, you would get "No Data Available" for some reports, either when there were no objects found in the directory or when the objects could not be enumerated. No objects would be enumerated if the currently logged on user account is denied the read permission on objects. Also, you would get "No Data Available" when the current user account is not visible to the target domain.

Moreover, we have found that this behavior occurs when binding to a domain running Windows 2000 Advanced Server (SP4). Since the bind operation to the domain was successful, you would be able to generate some but not all domain reports.

How do I enumerate groups with no members?

You can view group membership information by running "Members" report for "Groups" object. The members of each group would be listed against the corresponding group in this report. Groups that have no members have an empty value against them in the members column in the report.

If you want to view only those groups that have no members, you need to use the advanced filter tool to eliminate the groups from the report that have members. To do so, you need to create an advanced filter with a filter condition that reads [Members] = ''. The empty quotation marks beside the equal sign instructs the filter tool to show only those groups that have no members.

However, please note that you cannot use Quick Filter tool to achieve this. Only the advanced filter is capable of reporting empty values.

How do I get a report of all Organizational Units and their members?

The "Members" report of "Organizational Units" object lists all OUs and their corresponding members. The members report of organizational units object also shows the type of each member in the "Member Type" column in the report. Using this "Member Type" column you can get a narrow subset of members-list based on a specific object type.

For instance, if you want to view only users and computers present in each OU, you can create an advanced filter with a filter condition that reads [Member Type] = 'User' OR [Member Type] = 'Computer'.

However, if you are interested in viewing only a single "Member Type", you could use the Quick Filter to speed up the process. Just select the field, or leave "Any Field" which is the default, from the fields drop down and type in User, without quotations, in the edit box and hit "Go". Please note that you cannot use logical operators in the Quick Filter tool. Unlike Advanced Filter tool, you can use "*" and "?" wild card characters in Quick Filter.

How do I get a report of all Users and/or Groups who have Full Control permission?

The "Security" report allows you to view the permissions, both standard and extended, set on an object. Except for RSoP, the security report is available for all objects that ARKAD reports on. Since ARKAD reports both standard and extended set of permissions, the security report runs into hundreds and thousands of records. This is where the Filter tool comes in handy to figure out which users and/or groups were assigned a specific set of permission(s).

For instance, if you want to view all users and/or groups that have been assigned "Full Control" permission, you can create an advanced filter with a filter condition that reads [Permissions] = 'Full Control'.

Alternatively, you can use Quick Filter if you are looking for a specific permission, Full Control, as in this case. Just select the field, or leave "Any Field" which is the default, from the fields drop down and type in Full Control, without quotations, in the edit box and hit "Go".

How do I get a report of all Users and their corresponding Account Options?

You can view the Account Options of users in the "Account" report of "Users" object. The Account report, reports all of the account options available for a user object as displayed in AD MMC. You can view among others, the disabled, locked and expired user accounts in the Account report.

Since the Account report encompasses all the account options, you can generate meaningful reports with a subset of information derived from this report. For instance, you can create a report that lists all users whose password never expires and all user accounts that never expire. You can use the Advanced Filter tool to achieve this. To do so, create an advanced filter with a filter condition that reads [Password never expires] = 'True' AND [Account expires] = 'False'.

Alternatively, you can use Quick Filter to filter data based on a single account option. For instance, to view all user accounts that expire, just select [Account expires] field, from the fields drop down and type in False in the edit box and hit "Go".

How do I get a report on Users' last logon information?

The last logon date and time of users is available in the "Additional Account Info" report of users object. ARKAD calculates the last logon date and time by adding the local time zone information. Please note that this time zone information is retrieved from the local computer on which ARKAD is run.

Also, last logon value for a user can be unavailable if it is not set in the directory. In that case, ARKAD will display empty value in the corresponding field in the report for that user. You may also see last logon displayed as empty value when the current or specified user context does not have sufficient privileges to read the attribute from the directory.

How do I get a report of Delegated Permissions?

In ARKAD, you can view delegated permissions for Site, Domain and an Organizational Unit in the "Delegated Permissions" report of the respective object. The delegated permissions report displays the tasks that had been delegated using the Delegation of Control Wizard and also the tasks that had been delegated manually.

Using the information displayed you can create meaningful reports using either Quick Filter or Advanced Filter tool. For instance, you can use Quick Filter, if you want to view all tasks that had been delegated to a specific account. To do so, either select "Name" field or leave "Any Field", selected by default, type in the desired group name, and then hit "Go". This will show up all tasks that had been delegated to the specified group. Alternatively, you can type in a portion of the group's name and use "*" or "?" wild card characters as place holders.

However, if you want to specify a complex filter condition, you need to create an advanced filter. For instance, if you want to view all accounts that have been delegated the tasks "Manage Group Policy links" and "Create, delete, and manage user accounts", you need to create an advanced filter with a filter condition that reads [Delegated Task] = 'Create, delete, and manage user accounts' OR [Delegated Task] = 'Manage Group Policy links'.

How do I enumerate GPOs and their links?

You can view the list of GPOs and their respective links to various objects (Domains, OUs and Sites) in the "Links" report for "Group Policy Objects". This report gives you a consolidated report of what GPOs are linked to what objects and also aids you in determining what GPOs are not linked to any object. The "Links" report shows the type of object to which each GPO is linked in "Linked Object Type" column along with settings of the link such as Enforced, and Link Enabled. This report also shows the path of the object to which a GPO is linked in addition and whether the policy inheritance has been blocked on the linked object.

Alternatively, you may also view GPOs linked to various SOMs (sites, domains, and OUs) in the "SOM Links" report for "Group Policy Objects". This report shows all sites in the forest, the domain, and all OUs with their respective GPO links. This report, by default, groups GPO links in SDOU order and, in addition, sorts the data on Link Order of each linked GPO.

You may also view the list of GPOs linked to the Domain Controller in "RSoP GPOs" report. The "RSoP GPOs" report shows among others, GUID, File system path, Enabled status and Version. Also, you can view the list of GPOs applied to the Domain Controller and their corresponding applied order, link order in "RSoP GPLinks" report. The RSoP GPLinks report also shows which GPOs which were inaccessible in the "Access Denied" column in the report.

Furthermore, you can view Group Policy information for Sites, Domains and Organizational Units in the "Group Policy" report of the respective object. The "Group Policy" report shows the various GPOs linked to the object in the "Group Policy Object Links" column and the corresponding settings namely, No override, Disabled, and Block policy inheritance.

You can narrow down the data displayed in the Group Policy reports using advanced filters. For instance, you may want to know which sites, domains and organizational units have "Block Policy Inheritance" set and which GPO links have "No Override" set. To do so, you need to create an advanced filter with a filter condition that reads [Block Policy Inheritance] = 'False' OR [No Override] = 'False'.

However, if you want to view only those GPO links that have been disabled, you can use Quick Filter to speed up the process. Select [Disabled] field from the fields drop down and type in True in the edit box and hit "Go".

How do I get a report of privileges assigned to users and groups?

You can view the privileges assigned to users and groups in "User Rights Assignment" report of RSoP. The "User Rights Assignment" report, displays the various privileges and the users and groups to which each privilege has been assigned and the source GPO that established this assignment.

You may want to know which users and groups have been allowed or denied a specific set of rights. To do so, you need to use filters. If you want to filter data based on a single right, you can use Quick Filter. For instance, if you want to view only those users and groups that have been denied the right to log on locally, just type in Deny log on locally in the edit box and hit "Go".

Alternatively, you can type in Deny* to view all the deny rights and the users and groups to whom the corresponding deny right has been assigned. Please note that you cannot use wild card characters like "*" and "?" in the advanced filter. However, if you want to specify a complex filter condition, you need to use advanced filters. For instance, if you want to view all users who have been allowed the right to log on locally, and the rights that have not been defined, you need to create an advanced filter with a filter condition that reads [Policy] = 'Allow log on locally' OR [Setting] = 'Not Defined'.

There are 2 error log files. Why?

ARKAD generates an error log file in the application data path. The error log file tends to increase in size over a period of time especially if the application meets with frequent error conditions. The application does an "append" to the error log each time it runs. This is required for diagnostic purposes during troubleshooting. However, once the error log file reaches 512 KB, ARKAD creates a backup error log file called "ARKAD Backup ErrorLog.Log" in the application data path, and then truncates "ARKADErrorLog.Log" file.