Lead Image © reddz, 123RF.com

Lead Image © reddz, 123RF.com

Creating Active Directory reports using free tools

Free and Active

Article from ADMIN 23/2014
You don't have to spend a lot of money on expensive tools to read reports and analyze data on your Active Directory network. We show you some free utilities that will help you keep up with your Active Directory.

Several commercial tools provide the ability to read reports from Active Directory, but these tools are not exactly cheap. If you're looking for a less expensive approach, free tools are available for the task, and many deliver usable results. You can use free tools to evaluate Active Directory (AD) permissions, users, user data, and more.

A big advantage of these free tools is you do not need to run them on the domain controller – some you don't even need to install. All you need is a computer in the Active Directory forest. I tested these utilities with Windows Server 2012 R2 and Windows  8.1; they also run well on Windows  7 and Server 2012.

Reading Rights with AD ACL Scanner

In companies where multiple administrators manage Active Directory and a complex authorization model is in use, the authorizations in AD should be read and documented regularly. This step is especially necessary if audits are carried out in your company. However, it may also be useful to check which administrators or user accounts have rights in the different organizational units. The PowerShell script AD ACL Scanner [1] is useful here. It launches a graphical interface without the need to install. You just call the script file and display the rights in the associated interface.

In addition to administrative rights, the tool also can display whether users with delegated privileges – for example, for resetting passwords – have been given authorizations that are too liberal. This information tells you whether user accounts have administrative rights in organizational units, for which they are not required. Also, the tool helps avoid redundancies. You can see whether a user account has the right to manage other accounts in several ways, such as through direct allocation and through membership in a group (Figure 1).

Figure 1: AD ACL scanner lets you view reports on the authorizations structure in Active Directory.

To use the tool, you need to allow script execution in PowerShell on the appropriate computer. The Set-ExecutionPolicy Unrestricted cmdlet lets you execute any script in PowerShell. However, you should only temporarily override this setting and restore the default after running the script. You can change the execution policy with the Set-ExecutionPolicy cmdlet, and you can show the setting with get-ExecutionPolicy. The following settings are available:

  • Restricted: Default on Windows Server 2012 and Windows 8, which allows no scripts.
  • AllSigned: Only signed scripts are allowed.
  • RemoteSigned: Only scripts signed through a certification authority are allowed. This setting is configured in Windows Server 2012 R2 and Windows 8.1.
  • Unrestricted: Any script will work with this setting.

If the computer on which you start AD ACL Scanner has an Internet connection, set the option to RemoteSigned. This setting is preset in Windows Server 2012 R2 and Windows  8.1; in previous versions, you need to first adjust the settings, then enter the .\adaclscan1.3.3.ps1 command or the name of the version you have downloaded in PowerShell. You must be in the directory that contains the tool to do this.

You can also use filters. When you press Connect , the tool connects with the authorizations of the logged-on user and displays some initial data. In the bottom box, click on the organizational unit (OU) or domain you want to scan. Run Scan tells the tool to read the rights extensively. Then, AD ACL Scanner displays the report. You can print this or export it as an HTML report.

In the center pane on the Scan Options tab under Output Options, choose the setting CSV file and then set the output directory where AD ACL Scanner will export the CSV files as reports. Another usage scenario is validating rights in each organizational unit. After connecting to the domain, click on the OU you want to scan.

In more complex environments, the report can quickly become cluttered. For this reason, AD ACL Scanner provides the ability to filter the output in the right-hand pane. This way, you can search directly for permissions (Allow ) or denied permissions (Deny ), for example. Here, you also can control the objects the tool scans. In the middle pane, you can specify the Scan depth – that is, how deep the script should check for rights. In the Additional Options tab in the center pane, you can convert the CSV files of a report to HTML on request.

Creating Reports with AD Info

Another freeware tool in this category is AD Info [2]. The tool can read reports, but it must be installed. Additionally, .NET Framework 3.5 SP1 must be in place to use the tool. After launching AD Info, you will see the tabs and the areas for which you can create reports at the top. In the Computers tab, you can view, for example, computers with certain conditions. The results are shown at the bottom. The context menu of the individual result entries lets you copy the contents of the fields to the clipboard. In the File menu, you can save the results as CSV or HTML files.

AD Info is also available as a commercial variant, which lets you create your own queries and reports, for example. The queries can be scripted and automated in the commercial variant. A group policy template is also available for the commercial version, which you can use to automate settings.

Also in the Computers tab, you can filter the display – if necessary – by SID, GUID, account creation date, operating system, activity, and more. After double-clicking a report, you can select which data the tool should scan and display. In addition to computers, you can view other objects through the various tabs in AD Info.

In the Contacts tab, you can display, for example, any contacts you have created in Active Directory, as well as any contacts in Exchange. Containers & OUs takes you to information about the organizational units. You also search for associated group policies here, if needed. In the report, you can display the linked GPOs. This makes the tool useful for troubleshooting Group Policy or for documenting how you have linked the GPOs with domains and OUs in the enterprise.

In the Groups tab, you can customize reports for security groups in Active Directory. Here, too, you can display Exchange groups and distribution lists and read the Group Policy Objects in the domain. These can be filtered according to different criteria, and you can thus verify which policies have been created for computer and user configuration. In Tools | Domain Settings , you can tell the tool from which domain to read data. You can determine the user account that AD Info will use to connect to the domain at this point, and you can also specify the domain controller you want the software to connect with. Tools | Options lets you customize other settings. If you are using the commercial version, you can create your own reports via the Query menu.

Using AD Inspector for Analyses

Another interesting tool for analyzing Active Directory is AD Inspector  [3]. AD Inspector does not need to be installed; you can launch the tool directly. In the first step, press the folder icon at the top left to select which container you want to analyze in AD. You can examine the entire domain or only individual organizational units. At the bottom of the window, AD Inspector shows the usernames and domain controller that AD Inspector will use for the analysis.

To perform an analysis of group memberships, check User group membership and then click the green triangle in the toolbar. AD Inspector then performs the analysis and displays the row in green. The Result column shows the number of objects the tool has found. To get more information and a detailed report, click the magnifying glass in the Details column; here, you'll also see the users. Pressing the floppy disk icon saves the report to a CSV file (Figure  2).

Figure 2: AD Info lets you create reports and queries. You can read, display, and save reports for various data from Active Directory.

You can create other analyses in the same way. The Edit configuration icon in the toolbar lets you define limits within which the tool can search for information. You can specify which objects AD Inspector collects, as well as the time periods in which objects were created, and search for users without logins or for unchanged passwords. If you want to create a report that shows users that have not changed their passwords in the last 90 days, set the option Password not changed for (days) to 90 . In the options, you can also remove attributes from the reports. To do this, highlight the corresponding line and press the delete key on the keyboard.

AD Inspector launches under the user account with which you are logged on. You can launch the tool with a different user name using standard features. To do so, use the command line and the runas.exe tool. To launch AD Inspector with the username joost in the domain contoso.int , enter the following command,

runas /user:joost@contoso.int \

and use the path to which you copied the AD Inspector executable. To start the command, you must also enter the password for the specified user. The tool then launches with the desired user account.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.