Active Directory-Reports dot com

Helpful Active Directory Reports Coverage for Security Audit & Regulatory Compliance

Brought to you by former Microsoft Program Manager for Active Directory Security
Home
Account Reports
Group Reports
Computer Reports
Exchange Reports
Permission Reports
Schema Reports
Trust Reports
GPO Reports
SCP Reports
OU Reports
Reporting Options
Reporting Tools

Active Directory Organizational Unit (OU) Reports

Organizational units are special-purpose Active Directory containers that facilitate the application of group policies to content stored within them. The need to have insight into their state and security is thus also vital to organizational security, and Organizational Unit Reports provide this vital insight.

Active Directory Organizational Unit Reports

ACTIVE DIRECTORY ORGANIZATIONAL UNIT REPORTS


The following is a list of the Top-10 Active Directory Organizational Unit Reports that are vital for security and generally required for security auditing and to demonstrate regulatory compliance –


I. Security State Reports –

   The following OU reports provide vital insight into the security state of organizational units –

  1. All organizational units
  2. All organizational units to which group policies (GPOs) are linked
  3. All unmanaged organizational units (i.e. those for which a manager is not specified)
  4. All recently commissioned organizational units (i.e. those created in the last few days)
  5. All organizational units that contain a large number of objects


II. Delegated Administrative Access Reports –

   The following OU reports provide mission-critical insight into who all can modify* the state of these
   organizational units, i.e. who all have sufficient privilege to modify the state of these OUs –

* SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object.

  1. Who can create organizational units, and where?
  2. Who can delete organizational units, and which ones?
  3. Who can change the list of GPOs linked to organizational units, and of which ones?
  4. Who can disable GPOs linked to organizational units, and of which ones?
  5. Who can change the precedence of GPOs linked to organizational units, and of which ones?

   These delegated administrative access reports are absolutely mission-critical to security because
   they reveal exactly who has the ability to change the security state of these organizational units.



How to Generate these Group Reports:

   Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
   and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.

   The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
Copyright ActiveDir-Reports.Com 2010. All Rights Reserved
Active Directory Security Community Active Directory Reporting Tools Active Directory Security Reference Identity, Security & Access Blog