Header-grossesschiff

Phone  +49 6126 710 796 0

Active Directory Analysis

The quality of user and group information in a grown Active Directory envirnment is usually very unequal. Good data quality in your AD is a security aspect and the prerequisite for a well-planned connection to other systems (HR data, Intranet phone book, etc.). Analyze your AD and plan a clean-up to get clean data sets. We support you with know-how and free software.

Active Directory Analyse

Besides incomplete data, we often find orphaned objects or users with too many permissiosn. Other security issues are unused AD accounts of former employees. We recommend you to disable or delete them.

First, analyze your AD by yourself. FirstAttribute provides you a free AD reporting and analysis tool for this purpose:  FirstWare-AD Inspector.


Why should you analyse your AD or make an AD-Check-Up?

Everyone uses the Active Directory

Each user authenticates against the AD and has thus an AD account. Do you use the data of your Active Directory in other systems? Or did you even think about using AD data?

 

Data Quality in the Active Directory

Unused, Incomplete, Disabled, Empty.
It's really worth for you to know what is going on in your Active Directory. The data quality is important for various reasons. We have some of them summarized for you.

Security:

  • You want to know which accounts are not used
  • You want to know which computers are blocked
  • You want to know who not change their password
  • You want to avoid empty groups and recognize nested groups
  • You want to allow duplicate login names within a Forest

Data quality and data management:

  • You want to know which records are incomplete
  • To standardize the user management, use additional attributes
  • You want to extend your AD with Identity Management features
  • You have to create reports for your boss
  • You think about an intranet phone book based on AD user data

Delegation and automation:

  • You want to know if users have filled certain attributes
  • You want to automate permissions (dynamic group memberships)
  • You want to delegate AD Administration and need standards
  • You want to connect other systems with the Active Directory and exchange data

Migration:

  • You are planning a consolidation or migration of various AD domains

Possibilities: Ways to increase AD data quality

How to find and improve incomplete or incorrect data in Active Directory?
We recommend you these two possibilities:

possibilities AD analysis
  1. Check your AD with the free FirstWare-AD Inspector
    You get an overview of your data quality through various reports. Save the reports as an Excel document for further processing.
     
  2. Plan an AD check-up with experts
    If you have an overview, you might want to talk to our experienced AD specialists. Our AD Consultants can assist you in planning your target data quality. The integration or connection of additional systems will become much easier.
     

We want you to be aware how important Active Directory is for your infrastructure. Contact us if you want to know more or just start your first analysis with FirstWare-AD Inspector.


FirstWare-AD Inspector: Kostenlose AD Analyse Software

AD Reporting with our free Tool

Feel free to use our free AD Analysis Tool to run various queries against your Active Directory.
The software is self-explanatory and allows you to create 17 different reports.
Since FirstWare-AD Inspector 2015 you can export your results in a text (csv) or Excel file (xlsx).

FirstWare-AD-Inspector-2015

Get your free copy and
Download FirstWare-AD Inspector

 

What can I analyze with AD Inspector?

Why should I analyze my Active Directory?

Active Directory handles the provision of information (attributes) to connected applications and systems. An address book for example uses address and phone information from the Active Directory. It is important to provide complete and up-to-date information by the AD. Otherwise the connected applications can not use the data meaningful. AD-Inspector helps you checking the data quality.

How does AD Inspector help me?

You get

  • information about users, computers and groups
  • advice on how you should evaluate the results of your analysis
  • advice what measures you could take

In the next chapters you will learn more about the different types of AD analysis.

Why is AD Inspector for free?

We are specialized in designing and migrating Active Directory infrastructures. Data quality is one of the most important points when using a directory service.

We want you to know more about your AD! If you need help to improve structure or data quality, we are happy to hear from you.

User objects with non-expiring passwords

User objects can be configured in a way that, despite an active password policy, passwords never expire. This poses a security threat. User passwords should be regularly changed. In general here you will find only service accounts where an expired password would stop the service from functioning.

<back>


Group nesting information

Active Directory groups may contain user objects as well as other group objects. In the case of nested groups it is not immediately obvious which effective user objects are members of this particular group. Therefore, access rights may be assigned unknowingly to user who should not have been granted these rights. This analysis will provide you with an overview on how intensively the nesting of groups is used within your Active Directory. An excessive degree of nesting should be avoided, however, because otherwise you will quickly lose track of things.

With FirstWare-Admin you can view the effective group memberships within the respective group listed.

You may use dynamic groups to automate group memberships and flat nested groups

<back>


Empty groups

Active Directory groups without any members in them are not required any longer in many cases. Using this analysis you can have all groups listed that do not have any members anymore. In can then for each case be decided whether the group can be deleted. Especially in view of a pending Active Directory Migration it makes sense to remove all unnecessary elements from the Active Directory.

<back>


User accounts missing at least one required attribute

The Active Directory is an LDAP based directory service and is often called an address book for mail systems. For example, the contents of the Microsoft Exchange address book originate from the Active Directory. It therefore makes sense to attach proper and current data to the address and telephone information to the user objects. With this analysis you can check for which of your user objects the most important attributes are missing.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required user attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

AD-Inspector-configuration

 Screenshot of the configuration: AD-Inspector-Parameter

Through Active Directory Export you can export the data of your user objects very easily onto a table. Afterwards use the Excel mechanisms (such as sorting, filter, copy and paste etc.) to update the information and write them back into the Active Directory by using Active Directory Import.

So that all relevant information stays available within the Active Directory for the future, you can set up your own administration interfaces by using FirstWare Admin, and you issue your own rules. The Active Directory Administration will follow your rules and you do not have to collect all information manually. The combination with the Active Directory or an SQL database is used for the recording of information, such as the address details to your locations. With the creation of a new user object you can then select the location and the address information is automatically inserted.

<back>


Contacts missing at least one required attribute

Contacts are used within the Active Directory to save address and telephone details generally belonging to external persons. In the Exchange mail systems there are also contacts in the address book, if this is desired. Many companies keep additional address books for external contacts, so that the standard address book contains only the internal staff, but through the mail system there is a central access to external contacts nevertheless. Use this analysis to have all the contact objects missing at least one required attribute listed.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required contact attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application..

The Active Directory Administration of the contacts may be delegated, so that individual departments can keep their own address books without this having any impact on the internal address book. In order to delegate the address book management use our software FirstWare Admin to create your own interfaces, or you can also delegate the task to non-IT staff.

<back>


User accounts having all required attributes

The Active Directory is an LDAP based directory service and is often called an address book for mail systems. For example, the contents of the Microsoft Exchange address book originate from the Active Directory. It therefore makes sense to attach proper and current data to the address and telephone information to the user objects. With this analysis you can check for which of your user objects the most important attributes are missing.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required user attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

<back>


Contacts having all required attributes

Contacts are used within the Active Directory to save address and telephone details generally belonging to external persons. In the Exchange mail systems there are also contacts in the address book, if this is desired. Many companies keep additional address books for external contacts, so that the standard address book contains only the internal staff, but through the mail system there is a central access to external contacts nevertheless. Use this analysis to have all the contact objects missing at least one required attribute listed.

The configuration of the attributes to be checked can be done through the menu item Edit configuration. The attributes listed in the column "Required contact attributes" are thereby defined in the analysis also obligatory fields. You can edit the lines or, after highlighting them with the left mouse button, delete them. By clicking on the disk symbol you can save the determined configuration as default values. By clicking the green Accept symbol the configuration is only retained until the closing of the application.

<back>


New user accounts created within the past X days

This analysis lists all user accounts created as new accounts within the past X days. The number of days can be set in the menu item Edit configuration.

<back>


User accounts not logged within the past X days

This analysis lists all user accounts who have not logged into the domain within the past X days. The number of days can be set in the menu item Edit configuration.

<back>


Computer accounts not logged in within the past X days

This analysis lists all computer accounts who have not logged into the domain within the past X days. The number of days can be set in the menu item Edit configuration.

<back>


Locked user accounts

This analysis lists all user accounts currently locked. A user account is locked if it has exceeded the number of attempts permitted to log into the domain with the correct password. Unblocking a user account can, by means of our FirstWare Admin be delegated to other responsible persons with little or no IT knowhow at all. With our tool you can easily create an interface to the Active Directory Delegation, by which you can delegate the unblocking of user accounts relative to other organizational units of your Active Directory to other staff.

<back>


Deactivated user accounts

This analysis lists all currently deactivated user accounts.

<back>


Deactivated computer accounts

This analysis lists all currently deactivated computer accounts.

<back>


Accounts with unchanged passwords within the past X days

This analysis lists all user accounts whose password has not been changed within the past X days. The number of days can be set in the menu item Edit configuration.

<back>


Duplicate login names in the forest

This analysis list all duplicate login names in your forest. In case you manage only a single Active Directory domain duplicate login names are not possible, because these will already be checked at account creation. But in case you have several domains it may indeed occur that the same name is used more than once. In many cases it makes sense to prohibit this, so that each login name is unique in the whole forest and occurs only once.

<back>


Duplicate Kerberos logon names in the forest (User Principal Name)

The Kerberos logon name normally consists of the user name and the domain name in the structure as follows: username@ADDomain.xxx . The Kerberos logon name should be unique in the Active Directory forest. With the above structure of the name it is most likely to be unique.

<back>


User group membership

The analysis of group memberships will provide you with two sets of information. First of all you get a list showing the number of groups your user object is registered as a member, and secondly in how many nested groups (TokenGroups) the user object is registered as an indirect member. Nested groups are groups where you are an indirect member because you entered a group which is itself registered as a member in one or more other groups.

The nesting of groups may lead to your user object gained rights assigned by the nested group. It therefore makes sense not to exceed the level of nesting so as not to lose track of the effective rights assigned.

A user object can be a member of no more than about 1020 groups; this includes direct and indirect group memberships. If a user is registered in more than about 1020 groups not all memberships are effective, simply because the token for storing the memberships is full. The effect is that you enter someone in a group, but the associated rights are simply not assigned.

<back>

News

  • AD Consolidation Project

    AD Migration with Dell Migration Manager for Active Directory

    more...
  • DynamicGroup 2015 Release

    FirstWare-DynamicGroup 2015 released

    more...
  • AD Specialists in Frankfurt

    AD Consultants running in Frankfurt

    more...
  • Integration of Cloud Services like Office 365

    Integration of Cloud services to the IT infrastructure - Office 365.

    more...
  • Active Directory attributes and Outlook signature

    Using Active Directory attributes for the Outlook signature

    more...
  • Delegate Active Directory User Management to Human Resources

    Easily delegate AD User Management to HR with FirstWare-Admin

    more...
  • Access Based Enumeration Traverse Folder Service

    Building a self-administrating Access Based Enumeration authorization structure

    more...
  • Identity Management for Small to Medium-Sized Enterprises (SME)

    Assign Active Directory a central role as Active Directory based Identity Management System.

    more...
  • Microsoft Windows Remote Desktop Services vs. Citrix XenApp

    Comparison between Citrix XenApp and Microsoft Windows Remote Desktop Services

    more...
  • Windows Server 2012 Active Directory

    With the release of Windows Server 2012, many new features of the Active Directory Domain Services have been introduced.

    more...

©2016 FirstAttribute AG - All rights reserved.

Realization Site Point GmbH

Legal notice