Active Directory Reports

Organizations that use Active Directory as backbone of their network infrastructure
sooner or later come to a point when they need a solution to control and monitor
the Active Directory infrastructure. Native Active Directory management tools are
not capable to generate reports, and it becomes a challenge for AD administrators
to extract some up-to-date data from the Active Directory. This concerns even such
simplest reporting operations as building a list of users with some specific account
options set, or users with applied logon hours.

At this very point, to make life of administrators and auditors easier, an Active
Directory reporting solution is needed. Reports on Active Directory are quite essential
as they help to timely detect policy violations and security vulnerabilities, allow
review of the Active Directory inventory objects in compliance with legal requirements
during audits, facilitate Active Directory cleanup, etc.

Active Directory Reports: Challenges of the Real World

In the majority of cases an Active Directory report is a simple query executed in
a specific Active Directory location. At the first glance, one might think that
generation of AD reports is quite an easy process, and using scripting is a good
approach to cope with the problem. However, in the real world the situation appears
to be much more complicated.

First of all, very often the information stored in Active Directory is presented
in unacceptable to analyze format (at least for a human). For example, if you need
to obtain the date when a user account expires, Active Directory will return you
something like '129266388000000000'. Not very informative, is it? Converting such
data to a human readable format takes a lot of time and effort, as the Active Directory
schema contains a huge amount of property types, each containing its own syntax
and has its own specifics.

Another problem related to Active Directory reports is how to share them between

administrators, auditors and other staff involved. Ideally AD reports should be
available via an Active Directory Web interface that provides enough means to generate,
analyze and print reports via a standard web browser. Apart from the reporting capabilities,
such Active Directory Web interface must ensure a secure and controlled access to
the Active Directory resources, which is a very critical part of the issue.

The situation becomes even more challenging in the case you have multiple Active
Directory domains or even forests in your organization. Generation of reports across
several AD domains is a very complex and labor-intensive process, complicated by
different kinds of security and authentication issues.

Now it is clear that it is unreasonably expensive for a company to have IT specialists
in its staff who were able to cope with the Active Directory reporting tasks without
addressing third-party software.

Active Directory Reports: What's the Way Out

Taking into account the above, the only way out is to call for a help and choose
a third-party solution. At the moment, there are a lot of tools for Active Directory
reporting on the market. Some of them are free, while most of them aren't. So, what
to choose?

There are some decent freeware tools that provide some basic reporting functions.
Usually they offer only simple reports that don't require additional processing
of the data retrieved from AD. If you need a more complex solution with web access,
multi-domain management, administrative tasks delegation, you need to have a look
at the commercial software.

Anyway, here are a few points that shouldn't be overlooked when choosing a third-party
solution for Active Directory reporting:

1. Availability of essential reports. Make sure the solution provides all reports
   that might be useful in your organization. My must-have list is:
   
   
   
   
   
   
   

   Enabled/Disabled Users Expired User Accounts Non Expiring User Accounts Soon-to-Expire User Accounts Inactive Users Users Whose Password Never Expire Users With Expired Passwords

   Users With Soon-to-Expire Passwords Groups Without Members Unmanaged Groups Computers Trusted for Delegation Unmanaged Computers Inactive Computers Empty OUs

   
   


2. Web-based access. If there are non-administrative staff in your
   organization that requires access to the Active Directory reporting capabilities,
   make sure the solution you choose ships an Active Directory Web interface. It is
   very important for such a solution to provide a security model that allows delegation
   of rights to view AD reports without modification of the native Active Directory
   permissions. My favorite here is the
   
   Active Directory Web Interface provided by Adaxes.
   
   
   
   
   


3. Multi-domain support. If there are more than one AD domain in your
   organization, make sure the reports can be generated for several domains at once
   (even if the domains are located in different AD forests).

Summary

A solution that supports Active Directory reports is a must for a company that is
not willing to waste time fulfilling AD audit, lose track of groups and users, become
vulnerable to many security breaches. For small busineses freeware solutions are
quite suitable, while to cover the demands of bigger companies, commercial software
should be taken into consideration.