Latest posts by Thomas Mitchell (see all)
- Connecting AWS and Azure via VPN - Wed, Aug 14 2019
- MaxPowerSoft Active Directory Reports Professional - Tue, Jun 11 2019
- Load balancing two EC2 instances - Thu, Dec 13 2018
Microsoft previewed Active Directory (AD) in 1999 and then released it with Windows 2000 Server Edition. I worked with AD then, and I work with it to this day. It's safe to say I've got quite a bit of AD experience.
As a long-time AD admin/engineer/architect, I'm always on the lookout for a tool that can help manage AD more effectively. Last week, I got a chance to look at Active Directory Reports Professional from MaxPowerSoft. In this article, I'm going to tell you a bit about my experience with it.
Installation and licensing ^
Installing Active Directory Reports Professional is straightforward. I simply launched the installer, agreed to the terms and licensing, and then selected the folder to install to. The installation consisted of just a handful of "Next" clicks. Overall, it required less than 200 MB of disk space.
Licensing the software required a license key in the form of a text file. After launching the application, it immediately greeted me with a warning that my software was unregistered. After clicking "OK" at the warning, all I had to do was click "Help" and then "Register." After browsing to my registration key and thus registering the software, it was time to check out some of the features.
When the application opens, it automatically connects to the AD forest. It presents you with several tabs, which include Forest, Users, Groups, OU, Computers, GPO, Contacts, Exchange, Printers, NTFS, and Custom. Each tab focuses on auditing and reporting on the relevant AD piece.
Forest information ^
The Forest tab provides a concise view of the AD forest. It neatly lays out all pertinent forest information, making it easily accessible. From the Forest tab, you can view information about the AD forest itself along with all relevant information about the domain security policy that's in place. Information about password policies, account lockout durations, and many other security-related settings contained within the domain security policy are right there to see.
Using Active Directory Reports Professional is a much more pleasant way of reviewing what the security policy settings are for an AD environment. Instead of launching Group Policy Management, opening the security policy, and tracking through it to see what's up, you can just view the Domain Security Policy window in the Forest tab. Everything you need to know about your current security policy is easily accessible.
Users information ^
As impressed as I am with the Forest tab information, the Users tab contains even more useful information. In addition to the default All Users report, the Users tab includes several dozen user-centric reports you can use to really dig down into the user base of an AD environment. The tool breaks down the reports into two categories: General Reports and Status Reports.
Under General Reports, many canned reports let you track down things like users with and without managers, users with and without dial-in access, user profile information, and more. The Status Reports section offers reports that are more audit-centric. Reports in this section focus on things like enabled/disabled accounts, locked out accounts, expiring accounts, non-expiring accounts, and more. Reports that fall under the Status Reports section would be very useful for fun stuff like Sarbanes-Oxley (SOX) audits and whatnot. Manually tracking down much of the audit data that the status reports return is why AD administrators groan when auditors show up. The reports contained in Active Directory Reports Professional should make your life easier if you are an AD administrator.
There are simply too many reports to get into all of them here (I could write an entire manual), but the reports that I, as an experienced AD engineer, find most helpful are the Status Reports that return information on expired accounts, disabled accounts, and locked accounts. Not only are these reports helpful during audits, but they are also helpful during day-to-day operations.
Groups information ^
While I don't find the Groups tabs to be quite as helpful as the Users tab, that doesn't mean it's not helpful. What I found while perusing the Groups tab was about two dozen canned reports that contain information about the groups within the AD environment. The reports found in the Groups tab break down into three sections: General Reports, Security Group Reports, and Distribution Group Reports.
Admittedly, I found the Groups tab less useful than many other tabs because you can often find the different groups it reports on quite easily in AD Users and Computers (ADUC). However, having everything in one place is certainly beneficial, and it certainly makes life just a little easier for the administrator. Now, one thing I did really like about the Groups reports are the Deleted Groups reports. These types of reports can be very helpful when troubleshooting sudden loss of access to shares, resources, and other stuff.
So, as far as the Groups reports go? I liked them but didn't love them.
Organizational unit (OU) information ^
The OU tab is deceptively helpful. Although the reports contained in it appear to offer limited information (such as All OU, Users Only OU, GPO Linked OU, etc.), the information these reports do include is just the type of oddball information executives often ask for.
In organizations with unnecessarily complex OU structures (a pet peeve of mine), the OU reports contained within Active Directory Reports Professional can be lifesavers for AD administrators. Instead of tracking down PowerShell scripts or formulating complex search queries to find obscure information about OUs within an AD environment, administrators can just pull up this information in Active Directory Reports Professional.
Computers information ^
To be honest, I was kind of surprised at how many different computer-centric reports are available in Active Directory Reports Professional. The General Computer Reports it provides include reports on enabled and disabled workstations, servers, and even domain controllers. The reports on recently created and recently deleted computers are particularly helpful—especially during the always-fun SOX audits for organizations lucky enough to have to deal with them.
A second section under the Computers tab is called Computer Logon Status Reports. The reports contained in this section let the administrator identify computer accounts that have never logged in, computer accounts that have been inactive for a certain period of time, active computers, and much more. I find these types of reports helpful when trying to keep AD clean. Far too often, machines (especially workstations) are physically decommissioned but left behind in AD, resulting in a messy environment. With these types of easy-to-use reports, AD becomes much less of a chore.
Group Policy Object (GPO) information ^
I've worked for multiple managed service providers (MSPs) throughout my career. As such, I've seen some crazy stuff in AD—especially when dealing with smaller, understaffed clients. When you work for an MSP, it's not uncommon to get into an AD environment and see dozens or even hundreds of GPOs defined. Worse yet, many of those GPOs are often undocumented—some GPOs even being empty. Even worse, it's not uncommon to encounter AD problems caused by conflicting GPO settings.
Tracking down GPO headaches isn't necessarily "hard," but it can be very time-consuming. Unraveling which GPOs are causing Susie to map to the incorrect printer or file share can be a nightmare—especially without a complete picture of what GPOs are in play to begin with. For these reasons, I found the 15 or 20 canned GPO reports very helpful. For example, the Not Linked report lets an administrator who is troubleshooting GPO issues immediately identify and rule out any unlinked GPOs. Likewise, the User Settings Enabled, Computer Settings Enabled, User Settings Disabled, and Computer Settings Disabled reports let the admin easily see which GPOs may or may not be affecting a specific user or computer.
Aside from maybe the Users tab, I found the GPO tab to contain quite possibly the most helpful reports.
Contacts and Exchange tabs ^
Since I don't have Exchange running in my lab, I didn't get to play around too much with the reports in these tabs. That said, having information on all organization contacts and all Exchange information in one place—and easily accessible—makes life for the administrator far easier.
Printers information ^
Another dozen or so canned reports are available in the Printers tab. It's important to note, however, that the printer information included in this tab references printers published in AD. After all, this is an AD tool.
As far as how useful the Printers reports go, well, that's going to depend on how many printers you have published in AD. If you are a small shop, I could see the Printers tab not being terribly helpful. However, large organizations with lots of printers may find the printer reports helpful.
The reports included let you report on things like managed and unmanaged printers, color printers in the environment, duplexing capabilities, and printers created and deleted recently. As I mentioned, smaller organizations are likely to take a pass on these reports, but if you are a large organization and need to get a handle on printers spread out through the environment, I could see these reports being very helpful.
NTFS information ^
Unlike the Printers tab, the NTFS tab can be extremely helpful to all organizations large and small. Broken out into two sections (Folder Reports and File Reports), this tab offers some really good insight into file shares in use.
The NTFS reports offer up information on permissions and auditing settings applied to folders and files alike. With this type of information readily available, organizations can perform share cleanups and track down who has access where more easily. Using the reports available in the NTFS tab lets organizations get a handle on access permissions to files and folders throughout the environment.
Custom tab ^
The custom tab is actually just a container for your own custom reports. The canned reports available in all the other tabs we've covered previously are all customizable. Simply right-clicking a canned report offers the ability to customize it. You can then save the customized report so that it returns the information most important to you. When you do this, it stores the custom report in the Custom tab under the relevant subsection. This provides easy access to the reports that matter most to you.
Additional features ^
We couldn't cover all features of AD Reports. Here are a few more features that you should check out:
- Send scheduled reports via e-mail
- Execute previously scheduled reports with the scheduling service and send e-mails even when AD Reports is not running
- Create reports with complex LDAP filters
- Create user / group / computer / OU membership reports with “grid IN grid” support
- Exclude unreachable DCs
Final thoughts ^
So here is what I think about MaxPowerSoft's Active Directory Reports Professional product:
Overall, I think it's a pretty solid product. It's easy to install and requires minimal setup. The software automatically finds the directory and immediately offers valuable information. Although the licensing notification makes you think there was an error during installation or launch, it's a mostly trivial annoyance. As long as you are paying attention, it becomes obvious it is prompting you for a license key.
As far as functionality goes, I have no complaints. There really is "something for everyone" within the tool. While some smaller organizations will get little use from some features (such as Printers reports), they will use many other reports included with the tool (such as NTFS reports). For larger organizations with formal auditing requirements (such as SOX), I can see this tool being quite helpful to administrators.
All told, MaxPowerSoft Active Directory Reports Professional gets a thumbs up from me.