Lead Image © reddz, 123RF.com
Creating Active Directory reports using free tools
Free and Active
Several commercial tools provide the ability to read reports from Active Directory, but these tools are not exactly cheap. If you're looking for a less expensive approach, free tools are available for the task, and many deliver usable results. You can use free tools to evaluate Active Directory (AD) permissions, users, user data, and more.
A big advantage of these free tools is you do not need to run them on the domain controller – some you don't even need to install. All you need is a computer in the Active Directory forest. I tested these utilities with Windows Server 2012 R2 and Windows 8.1; they also run well on Windows 7 and Server 2012.
Reading Rights with AD ACL Scanner
In companies where multiple administrators manage Active Directory and a complex authorization model is in use, the authorizations in AD should be read and documented regularly. This step is especially necessary if audits are carried out in your company. However, it may also be useful to check which administrators or user accounts have rights in the different organizational units. The PowerShell script AD ACL Scanner [1] is useful here. It launches a graphical interface without the need to install. You just call the script file and display the rights in the associated interface.
In addition to administrative rights, the tool also can display whether users with delegated privileges – for example, for resetting passwords – have been given authorizations that are too liberal. This information tells you whether user accounts have administrative rights in organizational units, for which they are not required. Also, the tool helps avoid redundancies. You can see whether a user account has the right to manage other accounts in several ways, such as through direct allocation and through membership in a group (
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Optimizing domain controller security
Configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory. -
Professional protection for small and mid-size enterprises
To what extent does the Untangle NG Firewall, where apps come together like pieces of a jigsaw, meet customer criteria for protection, usability, price, and support? -
Integrating scripts into Group Policy
Incorporating scripts into Group Policy can make a sys admin's job much easier. -
Lithnet Password Protection for Active Directory
Lithnet Password Protection for Active Directory provides flexible rules beyond that possible with group policies alone and prevents the use of previously compromised passwords. -
Monitoring changes in Active Directory with built-in tools
Monitoring with built-in Windows tools can prevent the worst from happening after an attempted attack.