Header-grossesschiff

Phone  +49 6126 710 796 0

Active Directory Analysing Tool - AD-Inspector

Use our free Active Directory Inspectors to run several analytical checks against your Active Directory to gain valuable insight into the status and information content of your Active Directory.

Free download: Active Directory Analyse Tool

In the sections the analyses are described including notes in each case on how you can assess the results of your analysis, and also which measures may need to be taken.


User objects with non-expiring passwords

User objects can be configured in a way that, despite an active password policy, passwords never expire. This poses a security threat. User passwords should be regularly changed. In general here you will find only service accounts where an expired password would stop the service from functioning.

With FirstWare-Connect you can adapt the configuration of user accounts on the basis of an Excel table through Active Directory Import


Group nesting information

Active Directory groups may contain user objects as well as other group objects. In the case of nested groups it is not immediately obvious which effective user objects are members of this particular group. Therefore, access rights may be assigned unknowingly to user who should not have been granted these rights. This analysis will provide you with an overview on how intensively the nesting of groups is used within your Active Directory. An excessive degree of nesting should be avoided, however, because otherwise you will quickly lose track of things.

With FirstWare-Admin you can have the effective group memberships within the respective group listed.


Empty groups

Active Directory groups without any members in them are not required any longer in many cases. Using this analysis you can have all groups listed that do not have any members anymore. In can then for each case be decided whether the group can be deleted. Especially in view of a pending Active Directory Migration it makes sense to remove all unnecessary elements from the Active Directory.


User accounts missing at least one required attribute

The Active Directory is an LDAP based directory service and is often called an address book for mail systems. For example, the contents of the Microsoft Exchange address book originate from the Active Directory. It therefore makes sense to attach proper and current data to the address and telephone information to the user objects. With this analysis you can check for which of your user objects the most important attributes are missing.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required user attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

Screenshot of the configuration:

AD-Inspector-Parameter

Through Active Directory Export you can export the data of your user objects very easily onto a table. Afterwards use the Excel mechanisms (such as sorting, filter, copy and paste etc.) to update the information and write them back into the Active Directory by using Active Directory Import.

So that all relevant information stays available within the Active Directory for the future, you can set up your own administration interfaces by using FirstWare Admin, and you issue your own rules. The Active Directory Administration will follow your rules and you do not have to collect all information manually. The combination with the Active Directory or an SQL database is used for the recording of information, such as the address details to your locations. With the creation of a new user object you can then select the location and the address information is automatically inserted.


Contacts missing at least one required attribute

Contacts are used within the Active Directory to save address and telephone details generally belonging to external persons. In the Exchange mail systems there are also contacts in the address book, if this is desired. Many companies keep additional address books for external contacts, so that the standard address book contains only the internal staff, but through the mail system there is a central access to external contacts nevertheless. Use this analysis to have all the contact objects missing at least one required attribute listed.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required contact attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application..

AD-Inspector-Parameter

The Active Directory Administration of the contacts may be delegated, so that individual departments can keep their own address books without this having any impact on the internal address book. In order to delegate the address book management use our software FirstWare Admin to create your own interfaces, or you can also delegate the task to non-IT staff.


User accounts having all required attributes

The Active Directory is an LDAP based directory service and is often called an address book for mail systems. For example, the contents of the Microsoft Exchange address book originate from the Active Directory. It therefore makes sense to attach proper and current data to the address and telephone information to the user objects. With this analysis you can check for which of your user objects the most important attributes are missing.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required user attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

AD-Inspector-Parameter


Contacts having all required attributes

Contacts are used within the Active Directory to save address and telephone details generally belonging to external persons. In the Exchange mail systems there are also contacts in the address book, if this is desired. Many companies keep additional address books for external contacts, so that the standard address book contains only the internal staff, but through the mail system there is a central access to external contacts nevertheless. Use this analysis to have all the contact objects missing at least one required attribute listed.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required contact attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

AD-Inspector-Parameter


New user accounts created within the past X days

This analysis lists all user accounts created as new accounts within the past X days. The number of days can be set in the menu item Edit configuration.


User accounts not logged within the past X days

This analysis lists all user accounts who have not logged into the domain within the past X days. The number of days can be set in the menu item Edit configuration.


Computer accounts not logged in within the past X days

This analysis lists all computer accounts who have not logged into the domain within the past X days. The number of days can be set in the menu item Edit configuration.


Blocked user accounts

This analysis lists all user accounts currently blocked. A user account is blocked if it has exceeded the number of attempts permitted to log into the domain with the correct password. Unblocking a user account can, by means of our FirstWare Admin be delegated to other responsible persons with little or no IT knowhow at all. With our tool you can easily create an interface to the Active Directory Delegation, by which you can delegate the unblocking of user accounts relative to other organizational units of your Active Directory to other staff.


Deactivated user accounts

This analysis lists all currently deactivated user accounts.


Deactivated computer accounts

This analysis lists all currently deactivated computer accounts.


Accounts with unchanged passwords within the past X days

This analysis lists all user accounts whose password has not been changed within the past X days. The number of days can be set in the menu item Edit configuration.


Duplicate login names in the forest

This analysis list all duplicate login names in your forest. In case you manage only a single Active Directory domain duplicate login names are not possible, because these will already be checked at account creation. But in case you have several domains it may indeed occur that the same name is used more than once. In many cases it makes sense to prohibit this, so that each login name is unique in the whole forest and occurs only once.


Duplicate Kerberos logon names in the forest (User Principal Name)

The Kerberos logon name normally consists of the user name and the domain name in the structure as follows: username@ADDomain.xxx . The Kerberos logon name should be unique in the Active Directory forest. With the above structure of the name it is most likely to be unique.


User group membership

The analysis of group memberships will provide you with two sets of information. First of all you get a list showing the number of groups your user object is registered as a member, and secondly in how many nested groups (TokenGroups) the user object is registered as an indirect member. Nested groups are groups where you are an indirect member because you entered a group which is itself registered as a member in one or more other groups.

The nesting of groups may lead to your user object gained rights assigned by the nested group. It therefore makes sense not to exceed the level of nesting so as not to lose track of the effective rights assigned.

A user object can be a member of no more than about 1020 groups; this includes direct and indirect group memberships. If a user is registered in more than about 1020 groups not all memberships are effective, simply because the token for storing the memberships is full. The effect is that you enter someone in a group, but the associated rights are simply not assigned.

News

  • AD Consolidation Project

    AD Migration with Dell Migration Manager for Active Directory

    more...
  • DynamicGroup 2015 Release

    FirstWare-DynamicGroup 2015 released

    more...
  • AD Specialists in Frankfurt

    AD Consultants running in Frankfurt

    more...
  • Integration of Cloud Services like Office 365

    Integration of Cloud services to the IT infrastructure - Office 365.

    more...
  • Active Directory attributes and Outlook signature

    Using Active Directory attributes for the Outlook signature

    more...
  • Delegate Active Directory User Management to Human Resources

    Easily delegate AD User Management to HR with FirstWare-Admin

    more...
  • Access Based Enumeration Traverse Folder Service

    Building a self-administrating Access Based Enumeration authorization structure

    more...
  • Identity Management for Small to Medium-Sized Enterprises (SME)

    Assign Active Directory a central role as Active Directory based Identity Management System.

    more...
  • Microsoft Windows Remote Desktop Services vs. Citrix XenApp

    Comparison between Citrix XenApp and Microsoft Windows Remote Desktop Services

    more...
  • Windows Server 2012 Active Directory

    With the release of Windows Server 2012, many new features of the Active Directory Domain Services have been introduced.

    more...

©2016 FirstAttribute AG - All rights reserved.

Realization Site Point GmbH

Legal notice