Active Directory Reporting Essentials

The needs of Systems Management reporting can be broadly classified into:

  • Compliance Reporting (for internal compliance as well as statutory compliance needs such as HIPPA, SOX etc.)
  • Management Reporting (for delivering the reports that management needs – Mainly in the form of Summary reports without getting into the details)
  • Administrative Reporting (for day-to-day administrative tasks of managing the Systems infrastructure).

Active Directory Reporting is one of the components of Systems Management reporting and is a must for all the three categories in any mid-size to large-sized organization.

The following are some of the most essential elements in AD reporting for the needs stated above.

Security – Access control information

Report both standard and extended rights along with owner, Inherited and Apply Onto information. Identify what permissions Users and Groups have been assigned on objects. Using the Inherited information, identify which ACEs have been added explicitly. Additionally, using the Apply Onto information identify which ACEs are enforced by each object

Auditing information

Identify what type of access has been audited for a User and/or Group on objects and to which objects it has been applied, along with their Inherited information. Using the inherited information identify which type of access has been set to be audited explicitly.

Delegated Permissions

Report on tasks that have been delegated to a user and/or group on Domains, Sites and Organizational Units (report tasks delegated using the Delegation of Control Wizard and also the tasks that have been delegated manually).

Domain controllers information

Report domain controllers and their corresponding FSMO role(s), along with their OS and service pack information.

Trust relationships information

Report trusted and trusting domains and their corresponding trust attributes for a domain.

User additional password information

Report password last set date and password expiration date for User accounts in a domain.

Disabled computer accounts

Report the Enabled/Disabled status of computer accounts in a domain.

Domain and Forest functional levels

For Windows 2003 domains, report Domain and Forest functional levels. For Windows 2000 domains report Domain functional level.

User Account Options

Report all User Account Options

User Logon information

Report Last Logon of User accounts in a domain/forest.

Group Membership information

Report users, groups, contacts and their corresponding membership information including nested groups information. Identify members with their SID and their Group’s SID.

Group Policy Links

Report GPOs linked to Sites, Domains and Organizational Units along with Block policy inheritance, No override and disabled settings. Additionally, view the GPOs linked to a selected DC along with their link order and applied order.

Report Deleted Objects

Report Deleted OUs, Computer Accounts, Users, Groups, Contacts, GPOs, WMI Filters and Password Settings Objects (Windows Server 2008) in a domain/forest.

Password Settings Objects (Windows Server 2008)

Report PSOs links, Lockout settings, Password settings and other details.

Starter GPOs (Windows Server 2008)

Report Starter GPOs General, Comment and delegation details.

Vyapin’s Active Directory reporting tool Admin Report Kit for Active Directory (ARKAD) covers the above and more and along with its ability to offer built-in as well as custom reports acts as one single solution for all Active Directory Reporting needs.

For more information about the ARKAD reporting tool: