Active Directory-Reports dot com

Helpful Active Directory Reports Coverage for Security Audit & Regulatory Compliance

Brought to you by former Microsoft Program Manager for Active Directory Security
Home
Account Reports
Group Reports
Computer Reports
Exchange Reports
Permission Reports
Schema Reports
Trust Reports
GPO Reports
SCP Reports
OU Reports
Reporting Options
Reporting Tools

Active Directory Account / Identity Management Reports

Active Directory domain user accounts serve as primary user-identities and play a central role in authentication, authorization and auditing. The need to have insight into their state and security is thus vital to organizational security, and Account Reports provide organizations this vital insight.

Active Directory Domain User Account Reports

ACTIVE DIRECTORY ACCOUNT REPORTS


The following is a list of the Top-20 Active Directory Account Reports that are vital for maintaining security and generally required for security auditing and to demonstrate regulatory compliance –


I. Security State Reports –

   The following account reports provide vital insight into the security state of user accounts –

  1. All domain user accounts
  2. All enabled domain user accounts
  3. All disabled domain user accounts
  4. All locked domain user accounts
  5. All administrative domain user accounts (i.e. privileged accounts)
  6. All delegated administrative domain user accounts (i.e. accounts delegated authority)
  7. All active domain user accounts (i.e. those who have logged on in the last few days)
  8. All inactive domain user accounts (i.e. those who have not logged on in the last few days)
  9. All unused domain user accounts (i.e. those who have never logged on)
  10. All recently commissioned domain user accounts (i.e. created in the last few days)
  11. All expired domain user accounts
  12. All domain user accounts that do not have an expiration date
  13. All domain user accounts that do not require passwords to logon
  14. All domain user accounts whose passwords never expire
  15. All domain user accounts whose password has not changed in the last few days


II. Delegated Administrative Access Reports –

   The following account reports provide mission-critical insight into who all can modify* the state of
   these user accounts, i.e. who all have sufficient privilege to modify the state of these accounts –

* SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object.

  1. Who can create domain user accounts, and where?
  2. Who can delete domain user accounts, and which ones?
  3. Who can reset the passwords of domain user accounts, and of which accounts?
  4. Who can disable/enable domain user accounts, and which ones?
  5. Who can unlock currently locked domain user accounts, and which ones?

   These delegated administrative access reports are absolutely mission-critical to security because
   they reveal exactly who has the ability to change the security state of these user accounts.



How to Generate these Account Reports:

   Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
   and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.

   The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
Copyright ActiveDir-Reports.Com 2010. All Rights Reserved
Active Directory Security Community Active Directory Reporting Tools Active Directory Security Reference Identity, Security & Access Blog