Latest posts by Timothy Warner (see all)
- Condusiv’s Diskeeper Server 16 - Proactive server file system fragmentation prevention - Wed, Dec 27 2017
- New features of SIEM tool EventSentry v3.4 - Wed, Dec 20 2017
- Use Just-in-Time Access to protect your Azure VMs - Fri, Dec 15 2017
The reporting engine operates in a read only mode to Active Directory and optimizes its built-in queries by retrieving the absolute minimum amount of data required to build your reports.
I can think of these use cases right off the bat for needing Active Directory Report Builder and generate reports:
- The compliance officer may need these AD reports to file our certification paperwork.
- The human resources department may need user activity reports for record-keeping purposes.
- The corporate information security team may need insight into high-privilege accounts.
- The service desk may need to spot locked accounts to reset their passwords.
- The consultant agency can schedule reports for compliance or security purposes.
Sysmalogic Active Directory Report Builder makes it super simple (and super-fast!) to perform any of the aforementioned business tasks. Let's take a closer look at this tool.
Download the fully functional 14-day trial from the Sysmalogic website. After the trial, you can either activate a license or let the product downgrade to the free version. The main limitation of the free version is that it can only examine domains with up to 125 enabled Active Directory users.
Installation took me about 30 seconds on my domain-joined Windows 10 Enterprise Edition workstation. The setup executable is a digitally signed .msi package and has no database dependencies.
After installing, fire up the tool and click Bindings. As you can see in the following screenshot, it is here that you:
- Connect to a target AD domain
- Specify your connection credentials
The credentials issue is important because (a) the tool does not require administrative elevation to run, and (b) you are—hopefully—logged onto your workstation as a domain user and not a domain administrator.
Before we run our first Active Directory search, let me introduce you to the Sysmalogic AD Report Builder's user interface. Check out the following annotated screenshot, which I'll explain afterward:
- A) Dashboard: Shows Active Directory metadata
- B) Search scope: The default setting is to search across the entire domain
- C) Scheduler: You can schedule report generation (more on that in a moment)
- D) Settings
- E) Tutorial
- F) Categories: Access the built-in search categories
- G) Favorites: Save your most useful searches for easier reruns
The Dashboard is actually a pretty nice standard report. Check it out:
I like that you can see the Primary Domain Controller (PDC) Emulator role holder, the query user identity, and domain password policy details at a glance. Alrighty then! Let's run our first search.
Start by opening the search scope menu and choosing your top-level search horizon. The available choices are:
- Search in entire domain
- Search in one organizational unit (OU)
- Search in multiple OUs
- Search in entire forest
For my example, I'll choose Search in Entire Domain. Next, navigate to the Categories tab and select a search category. The available choices are:
- Organizational Units
- Group Policy Objects
Let's say our service desk asked us to generate a report showing domain users attached to our Dallas and San Antonio offices. Sadly, all user accounts exist in the default Active Directory container, so trying to locate these users by inspecting the Office schema property one by one is untenable. Let's use Sysmalogic AD Report Builder!
We'll begin by expanding the User - General Names category and selecting the Users where Office subcategory. A fly-out menu appears, from which you can specify enabled, disabled, or enabled and disabled users. You can also construct an expression. I show you this in the next screenshot.
The Multiple Criteria option allows you to build more complex expressions. For instance, in the present case we want the Office property to match Dallas OR San Antonio.
The program then presents you with the Columns dialog box, shown in the next screen capture. Here we select which Active Directory schema properties we want to use as columns in our resulting report.
Pay attention to the small informational message at the bottom of the Columns dialog box, because it's important. Notice that while you can't create your own search categories and subcategories in Sysmalogic AD Report Builder, you can add schema attributes to the ones already available.
For now though, click Create Report to see the resulting report.
We'll discuss reporting more in just a moment. For now, go to Settings > Attribute Manager. As you can see in the following composite screenshot, you can include existing AD schema attributes that will show up in the Columns dialog box during report creation.
You saw what a typical report looks like in the previous section. Click Export to File to save a copy of the report in analyzable form. Your output choices are:
Of course, you can click Save to Favorite to store the report query to a quick-reference list. The LDAP Filters function is very cool. Here you can view the underlying Lightweight Directory Access Protocol (LDAP) expression that makes up your query. And guess what—it's modifiable!
In the following screenshot I added Lubbock to my composite office search:
Finally, let's look at the schedule builder. Here you can program Sysmalogic AD Report Builder to run a search query and generate a report on a schedule. You can also supply a Simple Mail Transfer Protocol (SMTP) server address and have the tool send you the auto-generated reports via email! I show you the AD Report Scheduler dialog box in the next screenshot.
According to the Sysmalogic pricing page, the 14-day free trial is equivalent in functionality to their Enterprise Unlimited license. To license your entire AD, count the number of enabled and non-expired users of your largest user based domain. (The tool has a built in count checker, which will be presented after your trial has ended. It will also determine the minimum required license type for the connected domain). Consultant agencies can either purchase the Enterprise Large or Unlimited license types. To cover all domains of all customers, determine the customer that has the largest user based domain and you are good to go!
If I worked in a shop that was subject to Active Directory compliance requirements, then Sysmalogic would be a "no-brainer" purchase for me. The same would apply if I worked for a company that took change management (think Information Technology Infrastructure Library—ITIL) seriously. I like this tool's speed and simplicity!