Organizations that use Active Directory as backbone of their network infrastructure

sooner or later come to a point when they need a solution to control and monitor

the Active Directory infrastructure. Native Active Directory management tools are

not capable to generate reports, and it becomes a challenge for AD administrators

to extract some up-to-date data from the Active Directory. This concerns even such

simplest reporting operations as building a list of users with some specific account

options set, or users with applied logon hours.

At this very point, to make life of administrators and auditors easier, an Active

Directory reporting solution is needed. Reports on Active Directory are quite essential

as they help to timely detect policy violations and security vulnerabilities, allow

review of the Active Directory inventory objects in compliance with legal requirements

during audits, facilitate Active Directory cleanup, etc.

Active Directory Reports: Challenges of the Real World

In the majority of cases an Active Directory report is a simple query executed in

a specific Active Directory location. At the first glance, one might think that

generation of AD reports is quite an easy process, and using scripting is a good

approach to cope with the problem. However, in the real world the situation appears

to be much more complicated.

First of all, very often the information stored in Active Directory is presented

in unacceptable to analyze format (at least for a human). For example, if you need

to obtain the date when a user account expires, Active Directory will return you

something like '129266388000000000'. Not very informative, is it? Converting such

data to a human readable format takes a lot of time and effort, as the Active Directory

schema contains a huge amount of property types, each containing its own syntax

and has its own specifics.

Another problem related to Active Directory reports is how to share them between

administrators, auditors and other staff involved. Ideally AD reports should be

available via an Active Directory Web interface that provides enough means to generate,

analyze and print reports via a standard web browser. Apart from the reporting capabilities,

such Active Directory Web interface must ensure a secure and controlled access to

the Active Directory resources, which is a very critical part of the issue.

The situation becomes even more challenging in the case you have multiple Active

Directory domains or even forests in your organization. Generation of reports across

several AD domains is a very complex and labor-intensive process, complicated by

different kinds of security and authentication issues.

Now it is clear that it is unreasonably expensive for a company to have IT specialists

in its staff who were able to cope with the Active Directory reporting tasks without

addressing third-party software.

Active Directory Reports: What's the Way Out

Taking into account the above, the only way out is to call for a help and choose

a third-party solution. At the moment, there are a lot of tools for Active Directory

reporting on the market. Some of them are free, while most of them aren't. So, what

to choose?

There are some decent freeware tools that provide some basic reporting functions.

Usually they offer only simple reports that don't require additional processing

of the data retrieved from AD. If you need a more complex solution with web access,

multi-domain management, administrative tasks delegation, you need to have a look

at the commercial software.

Anyway, here are a few points that shouldn't be overlooked when choosing a third-party

solution for Active Directory reporting:

• Availability of essential reports. Make sure the solution provides all reports

that might be useful in your organization. My must-have list is:

• Enabled/Disabled Users

• Expired User Accounts

• Non Expiring User Accounts

• Soon-to-Expire User Accounts

• Inactive Users

• Users Whose Password Never Expire

• Users With Expired Passwords

• Users With Soon-to-Expire Passwords

• Groups Without Members

• Unmanaged Groups

• Computers Trusted for Delegation

• Unmanaged Computers

• Inactive Computers

• Empty OUs

• Web-based access. If there are non-administrative staff in your

organization that requires access to the Active Directory reporting capabilities,

make sure the solution you choose ships an Active Directory Web interface. It is

very important for such a solution to provide a security model that allows delegation

of rights to view AD reports without modification of the native Active Directory

permissions. My favorite here is the

Active Directory Web Interface provided by Adaxes.

• Multi-domain support. If there are more than one AD domain in your

organization, make sure the reports can be generated for several domains at once

(even if the domains are located in different AD forests).

Summary

A solution that supports Active Directory reports is a must for a company that is

not willing to waste time fulfilling AD audit, lose track of groups and users, become

vulnerable to many security breaches. For small busineses freeware solutions are

quite suitable, while to cover the demands of bigger companies, commercial software

should be taken into consideration.