Active Directory-Reports dot com

Helpful Active Directory Reports Coverage for Security Audit & Regulatory Compliance

Brought to you by former Microsoft Program Manager for Active Directory Security
Home
Account Reports
Group Reports
Computer Reports
Exchange Reports
Permission Reports
Schema Reports
Trust Reports
GPO Reports
SCP Reports
OU Reports
Reporting Options
Reporting Tools

Active Directory Group / Access Management Reports

Active Directory security groups play a central role in authorization as they simplify controlling user-access to organizational IT resources. The need to have insight into their state and security is thus also vital to organizational security, and Group Reports provide organizations this vital insight.

Active Directory Domain Security Group Reports

ACTIVE DIRECTORY GROUP REPORTS


The following is a list of the Top-10 Active Directory Group Reports that are vital for maintaining security and generally required for security auditing and to demonstrate regulatory compliance –


I. Security State Reports –

   The following group reports provide vital insight into the security state of security groups –

  1. All administrative domain security groups, and their members (including all nested members)
  2. All important domain security groups, and their members (including all nested members)
  3. All domain security groups with large memberships (i.e. including all nested members)
  4. All unmanaged domain security groups (i.e. groups for which a manager is not specified)
  5. All recently commissioned domain security groups (i.e. created in the last few days)


II. Delegated Administrative Access Reports –

   The following group reports provide absolutely critical insight into who all can modify* the state of
   these security groups, i.e. who all have sufficient privilege to modify the state of these groups –

* SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object.

  1. Who can create domain security groups, and where?
  2. Who can delete domain security groups, and which ones?
  3. Who can change the memberships of domain security groups, and of which groups?
  4. Who can change the type of domain security groups, and of which groups?
  5. Who can change the scope of domain security groups, and of which groups?

   These delegated administrative access reports are absolutely mission-critical to security because
   they reveal exactly who has the ability to change the security state of these security groups.



How to Generate these Group Reports:

   Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
   and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.

   The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
Copyright ActiveDir-Reports.Com 2010. All Rights Reserved
Active Directory Security Community Active Directory Reporting Tools Active Directory Security Reference Identity, Security & Access Blog