Useful Microsoft Active Directory Tools

Gold Finger 4.0 - A Must-Have for Active Directory

A while back I had blogged about the Gold Finger reporting solution for Active Directory. I had also provided some feedback to the vendor and last month, I received an email informing me that my feedback had been incorporated in the latest version, v4.0. I was also invited to review the Pro Edition, so I did, and I have to say that I am very impressed.

Gold Finger 4.0 is a Must-have Tool for Active Directory Reporting and Audit.

Gold Finger 4.0

Here's why -

What is the single most important thing one absolutely needs to know in Active Directory?

I believe that one thing is the need to know who really has what access in Active Directory, because all accounts, passwords, groups, policies etc. are stored and managed in AD, so we must know exactly who can perform which admin tasks (e.g. Password Resets) on which objects in Active Directory at all times.

For instance, at an absolute minimum, I think we all need to know exactly who can -

Change the membership of the Domain Admins and Enterprise Admins group
Reset the password of the user account of all admin and executive accounts
Delegate administrative tasks in our core OUs to someone else, etc. etc.

Of course one also needs to have basic but essential security insight such as -

How many accounts do we have and in what states (active, disabled, locked, etc.)
How many groups we have and what are their memberships (direct, nested etc.)
How many OUs and containers do we have, what are their contents etc.

But the need to know who can do what is far more important, because if say someone could reset a Domain Admin's password, he/she could logon as a Domain Admin and take control of the entire AD!

Finding out who has REALLY what access in Active Directory -

In that regard, I recently learnt that there is a HUGE difference between determining who has what access in Active Directory and determining who has what effective/resultant access in Active Directory.

Simply put, it is the difference between finding out where all a user has permissions in AD and finding out what the users' effective permissions are (also known as resultant-set of permissions) in AD. (You may have seen the Effective Permissions Tab in the ACL Editor, which unfortunately Microsoft has acknowledged to be inaccurate.)

It turns out that determining a user's effective/resultant access in AD is in fact very difficult, because to do so, one needs to consider ALL permissions in an object's ACL just like AD does in a real access check.

For example, all this while I assumed that since I have Write Property permissions on the member attribute on the Domain Admins Group, I could change the Domain Admins group membership. It turns out that this is not actually true, because as I learnt recently, if there is even 1 Deny permission for some group that denies write-property to the member property, or blanket write-property, or full-control, and I happen to be a member of that group, directly/indirectly, then I will not be able to actually change the Domain Admins group.

In short, I discovered that to find out who can really do what in Active Directory, I need to determine resultant-access / resultant-set-of-permissions (RSOP) in Active Directory, and having tried to do so, I can tell you that it is very difficult to do so.

If you would like to learn more about this, you can Google "Active Directory Resultant Access".

Why I believe Gold Finger is unique -

It is in this regard that Gold Finger 4.0 comes in the picture.

Based on my research, I have found that Gold Finger 4.0 is the only reporting tool for Active Directory that can correctly determine resultant-set-of-permissions (RSOP) in Active Directory, and show me who really has what access in my Active Directory, and in 4.0, show me the how as well.

Incidentally, it turns out that Gold Finger is designed by former Microsoft Program Manager for Active Directory Security (author of Microsoft's official delegation white paper) and it is endorsed by Microsoft.

Here's a demo I happened to find on YouTube -

Here's a direct link to the demo on YouTube - Active Directory Resultant Access Assessment/Reporting Tool.

I did extensive research, checked out many tools, ranging from Microsoft's dsget and dsacls to Quest Software's Access Manager, from ScriptLogic's Security Explorer to Manage Engine's AD Manager+. I even checked out dsrazor, Hyena, adfind, and others and I have not found even one other tool that can determine resultant-access in Active Directory.

I was led to all these above-mentioned tools because they claim to show you who has what access, but as I have learnt now, there is a world of a difference between who has what access and who has what resultant access, and none of the above mentioned tools can determine resultant-access. They merely show you the who has what access part leaving us to do ALL the work ourselves.

Speaking of these tools, I should mention that one of the most misleading named tools out there is a tool called SolarWinds Permissions Analyzer for Active Directory. That tool has absolutely NOTHING to do with determining who can do what in Active Directory or analyzing Active Directory permissions.

What I found most valuable -

What's really awesome about the Gold Finger is that not only does it tell you in plain English who can really do what in your Active Directory, it actually also shows exactly you how they can do so.

For instance, during our eval, it helped me uncover exactly which security permission in the ACL (access control list) on my user account was responsible for one of my co-workers having the ability to reset my password. I have found it to be very useful, because not only can I find out really who has what access, it shows me how that person has this access, and that helps me identify and take away that access that I did not even know he had.

Here is a summary of some of the reports available in Gold Finger

I . 100+ Basic security reports:

50 user account mgmt security reports (e.g. account status, last logons etc.)
20 computer account mgmt security reports (e.g. stale accounts, etc.)
15 group mgmt security reports including nested group memberships etc.
10 OU and container account mgmt security reports
30 Group Policy, Trust, Exchange and Schema mgmt reports
18 AD security permission reports (e.g. who has what permissions where)

+

II . 100+ Unique resultant-access reports (fully-automated) :

Who can create/delete user accounts, reset passwords, etc.
Who can create/delete computer accounts, change Kerberos settings etc.
Who can create/delete security groups, change memberships, etc.
Who can create/delete OUs and containers, link and unlink GPOs, etc.
Who can create/delete Service Connection Points, modify keywords, etc.

One other thing I should mention is that they seem to have made quite a few UI enhancements in 4.0. For instance, the UI is now re-sizable, has two skins, and allows instant CSV exports of all reports. It also lets you instantly generate professional looking reports with custom titles and fields.

We are still in the midst of evaluating because we need to be able to audit our AD at all times, and from what we seen so far, I can tell you that seems like a must-have tool for Active Directory, because we all absolutely need to know who can do what in our AD.

I highly recommend checking it out if you have a minute. I believe it is available in 4 editions, and I think consultant versions are also available, but I do not know if they have one for their Pro Edition.

In Summary

In summary, based on my extensive research thusfar, I have found that with over 100 security reports (that let you do everything from from True Last Logon reproting to finding out who has what permissions where in AD), to 100+ unique, essential (and fully-automated) resultant-access reports (that show who really has what access in Active Directory, and how), all made as simple as clicking a button, Gold Finger 4.0 has to be one of the best AD tools and a must-have tool for Active Directory.

Disclaimer - This is merely my opinion. Please do NOT take my word for it but rather try it out for yourself. I believe you can download free 21-day evals from their website.

Here is the link to the tool - http://www.paramountdefenses.com/goldfinger.

You can also just Google "Gold Finger for Active Directory"

+Pros: Resultant-access analysis, Fully-automated accurate resultant-set-of-permissions (RSOP) based access-reporting, Instant Download, Quick Install, No admin permissions needed, Instant reporting, CSV exports, 200+ valuable reports, Custom report generation

-Cons: Not all editions seem to be available in a Consultant version.

Gold Finger Reporting Tool for Active Directory

I am updating this blog after a long time, because after a long time I recently came across a really valuable (and I think one of the best) Active Directory Reporting Tools, called Gold Finger.

I happened to come across it by chance as the other day we had a need to clean up stale accounts in our environments, so I was looking for a tool to do free True Last-Logon reporting, and a Google search for “true last logon reports” led me to this tool.

It is developed by a company called Paramount Defenses, and as per their website is designed by a former Microsoft Active Directory development team member. Interestingly, although it seems to be designed primarily for determining resultant access in Active Directory, it can also generate almost 400 security reports!

Thought I'd try it so I downloaded and installed it on my Dell Vostro (which took about a minute.) The install was easy and it seemed fairly straight-forward to use. I could instantly run reports and it was really fast. Surprisingly though I did not need to run it as a Domain Admin.

What I really liked was that it has virtually every essential Active Directory report one can think of, from account management to security permissions analysis reports! The edition I downloaded had over 50 important accounts reports – enabled accounts, disabled accounts, locked accounts, half a dozen true last-logon reports, expired accounts, deleted accounts, accounts with no passwords etc.

I did not try all the reports but I believe it can also enumerate nested groups. One other thing I really liked is that it also lets you export the results to CSV format and that has turned out to be quite helpful for us in generating our stale account reports.

It also had quite a few other reports including group membership, GPO, OU, Microsoft Exchange Mailbox and Schema reports. I did not try all of them (as there were simply too many to try them all) but I did try the security permission reports and it took less than a minute to show me all users in our domain on which I had Create Child permissions.

One other thing I thought was smart is that in all OU reports, it would automatically display the number of objects in the OU. It also had a cool search utility (oddly called Target Locator) that I could use to perform wildcard searches for accounts, groups OUs etc. One neat search I could do is enter in a SID and find out who it belongs to.

We've been using it for the last few days now and have come to really like it, especially its speed. Basically, its like have the functionality of many different Active Directory analysis tools into one single fast tool.

If you need to do any sort of user or computer account, security group, security permissions, Exchange mailbox or OU reporting, you should definitely consider getting your hands on it. You can Google “Active Directory Gold Finger” to find it. I have also provided the link below.

+Pros: 400 Active Directory Reports, Instant Download, Quick Install, No admin permissions needed, Instant reporting, CSV exports

-Cons: Not all reports seemed to be exportable to CSV in Free Edition.

Account Lockout Status (LockoutStatus.exe)

Account Lockout Status (LockoutStatus.exe) is a free combination command-line and graphical tool provided by Microsoft that can be used to determine vital domain user account lockout related information in an Active Directory domain.

This tool can be very helpful in obtaining a list of all domain user accounts that might be locked out, and for all locked accounts, obtaining the specific time when the account got locked out. It is thus not only helpful in determining account lockout status but can also be helpful in identifying an unusual number of bad password attempts on any Active Directory accounts and determining when a user last changed their domain user account's password.

One nifty feature is that for all bad password attempts, it also shows on which domain controller these bad password attempts occurred, and this information can be useful for security analysis and forensic purposes.

However, as you might imagine, it can only do account lockout reporting, so its a bit of an overkill to use an entire tool just for a few reports. In that regard, I found the Microsoft-endorsed tool, Gold Finger to be much more useful, because I could not only generate account lockout reports but almost a 100 other useful reports (e.g. true last logon reports, password expiration reports, complete nested group membership lists, detailed security permissions analysis etc.) all from a single tool and UI.

By the way, here's a helpful illustration of Gold Finger's superior reporting capabilities -

(In case you wish to watch it in full size, here's the direct link to the video on You Tube - Active Directory Security Reporting/Audit Tool/Solution)

All in all, LockoutStatus can certainly help you obtain insight into account lockout information which could help you service account lockouts quickly and in other cases possibly detect and address suspicious activity on your network.

+Pros: Free, Provided by Microsoft, Combination command-line and GUI, Takes multiple DCs into account.

-Cons: Usage is limited to account lockout specific reporting, no CSV generation, no neatly formatted report generation capabilities

Recommendations - I recommend trying the Gold Finger tool instead, as it provides a single point of control for anything and everything you need to know about Active Directory security.

AloInfo.exe

AloInfo.exe is a free command-line tool provided by Microsoft that can be used to determine the password age of all domain user accounts in an Active Directory domain.

This can be helpful in situations where you’re trying to obtain a list of all domain user accounts whose password might be about to expire, perhaps to inform them, or to take some other administrative action, or to troubleshoot frequent account lockout issues.

The tool is rather easy to use, and the following is its usage -

aloinfo /expires /server:<Domain_Controller_Name>

Interestingly, one other use of this tool is that it can be used to obtain a list of all local services and startup account information for a user who is currently logged on.

By the way, here's a helpful tip. If you ever need insight into when a user's password is scheduled to expire, or when a user last logged on, or when the user's account expires, or what groups a user is a member of, or where all a user has permissions in Active Directory, or the like, then I highly suggest checking out Microsoft-endorsed Gold Finger reporting solution.

In fact, here's a quick video that shows its awesome reporting capabilities -

( In case you wish to see the video in its full resolution, here's the link to it on YouTube - Active Directory Security Reporting/Audit Tool/Solution. )

+Pros: Free, Can be pointed at a specific Domain Controller, Can help identify accounts whose password might be about to expire

-Cons: Provides console output, Can’t generate presentable reports, No CSV output

Recommendation: Checkout the Gold Finger as well. Pretty cool: over 200 security reports (e.g. account mgmt, true last logon, nested group memberships) and access reports etc. + slick inbuilt AD search utility, in one tool.

Active Directory Administrative Center

Active Directory Administrative Center is essentially the new administration interface for Active Directory that provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI).

It comes standard with Windows Server 2008 R2 and it can be used to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation. It is meant to be the replacement of Active Directory Users and Computer (ADU&C) Snap-In and it certainly offers an enhanced management experience for IT administrators.

It can be used to manage domain user and computer accounts, domain security groups and of course Organizational Units and containers. It can also be used to filter data by using query-building search.

One of the key benefits of the Active Directory Administrative Center is that it can be used to manage objects across multiple domains, as long as they belong to the same Active Directory forest, or there exists a trust path between the local and the target domain.

One neat new feature of the Active Directory Administrative Center is the breadcrumb bar, which can be used to directly enter the location of a specific Active Directory object, so that you can directly navigate to that object.

Another neat feature is that it can be used to query the Active Directory based on richer criteria, such as the to find a list of locked user accounts. It however falls short in providing accurate information on last logons, as it does NOT query each DC, but instead relies on the approximation method which is based on the lastLogonTimeStamp attribute.

Although Active Directory Administrative Center is not big on reports, I have found that when you compliment it with a dedicated Active Directory reporting tool, such as the Microsoft-endorsed Gold Finger, you can have a complete (well almost) Active Directory management and reporting solution at your disposal.

In fact, I have found Gold Finger to be so helpful that thought I'd share a video with you - awesome reporting capabilities -

( In case you wish to see this on YouTube, here's the link - Active Directory Security Reporting/Audit Tool/Solution )

You can open the Active Directory Administrative Center is one of two ways - you can either click Start, then select Administrative Tools, then click on Active Directory Administrative Center, or you can click Start, then click Run, and then type dsac.exe.

It however can currently only run on running the Windows Server 2008 R2 operating system (and on Windows 7 clients using (RSAT)), and it cannot be used to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.

It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV. Here is another area Gold Finger perfectly compliments the Active Directory Administrative Center.

Also, because under the hood Active Directory Administrative Center, It is powered by PowerShell, and so while it is certainly more powerful than the its predecessor, the Active Directory Users and Computer MMC Snap-In, it can be sluggish at time.

In summary, the Active Directory Administrative Center is the first major revision to the Active Directory data management tools since the initial release of Active Directory way back in 2000. It certainly offers numerous visual and capability enhancements, but is neither intended to and cannot replace the need for dedicated/advanced Active Directory reporting tools.

+ Pros: Free, Offers Multi-domain Active Directory data management, provides basic Active Directory querying capabilities, enables instant navigation to an Active Directory object, Can generate simple account management type reports

- Cons: Limited in its ability to generate custom (advanced) IT management and security reports (e.g. True Last Logons etc), Currently only runs on Windows Server 2008 R2 and Windows 7 (using RSAT), Relies on PowerShell

Download Point: Ships along with Windows Server 2008 R2, so will be automatically available when you DCPROMO the Windows Server 2008 R2 machine. Alternatively, you can download and install the Remote Server Administration Tools (RSAT) on a Windows Server 2008 R2 server or a Windows 7 machine.

Recommendation: For a well-rounded solution, may wish to consider complimenting the management capabailities of Active Directory Administrative Center with the reporting capabilities of a dedicated Active Directory reporting solution, such as Gold Finger.

Useful Active Directory Reporting Tools

This is a blog on Free as well as useful Active Directory Reporting Tools. It covers some Active Directory reporting tools that are free and others that are not free but very useful as well. These Active Directory tools can help IT administrators and Network Engineers in day-to-day Active Directory management and reporting.

ADFind

ADFind is a helpful Active Directory search utility that you can use to query the Active Directory. It is developed by Joe Richards, an IT admin who is also a Microsoft MVP who runs ActiveDir.org.

It can be used to query the Active Directory for user accounts, groups, OUs, containers, Schema elements and other resources based on a variety of advanced search criteria. It is a command-line tool and once you have learnt its command line options, it is rather easy to use.

ADFind is a helpful AD search tool and it runs on numerous operating systems ranging from Windows XP to Windows Server 2008. Although LDP.exe can do everything ADFind can, the advantage of AdFind is that it can be run from the command-line. The only noticeable downside is that it is not supported.

Personally, I prefer Gold Finger instead, because it is vastly superior and substantially more capable, has so many more (200+) reports (e.g. most account and group mgmt reports, true last logon reports, ACL reports, Exchange reports etc.) in one tool, and because it also has an inbuilt search utility and lets you export both search and report results, all from a clean minimalistic interface.

By the way, here's a quick helpful video of the Microsoft-endorsed Gold Finger reporting solution for Active Directory -

( Also, in case the video here doesn't work, here's the link to it on YouTube -
Active Directory Security Reporting/Audit Tool/Solution )
+ Pros: Free, Command-line, Can be used for most advanced LDAP querying and reporting as long as you know LDAP, Portable

- Cons: Unsupported, No advanced reports such as True-Last-Logon etc., Not sure how secure it is, or if it is signed.

Windows Powershell

The Windows Powershell from Microsoft is a free extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language.

It is NOT (repeat it is not) a TOOL.

It is an automation engine that relies on the Microsoft .NET Framework and involves the execution of cmdlets which are basically specialized .NET classes which implement specific operations.

It can however be used to perform a variety of functions on the Windows Platform. It can also be used to query data from Active Directory and to perform common day-to-day aspects of AD management.

One advantage of using Powershell is that it makes it easy for IT admins to derive greater value out of their efforts in scripting so they can automate (at least parts of) common day-to-day IT management and reporting tasks. It also lets IT admins leverage the work of other admins as these scripts can be shared with the community.

The disadvantage of PowerShell is that it relies largely on the development of scripts and even though it makes it easier to derive greater value from scripts, it certainly leaves the possibility of human error. It also takes additional effort to generate reports that are in a presentable fashion and decent enough for submission for any audit or as regulatory compliance evidence.

+ Pros: Free, Can be used to simply day-to-day IT management tasks and perform basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon), Relies on scripts which can be prone to human-error, Relies on executing code written by someone else in a trusted environment

# Download Point: To install Powershell, you need to download and install the Windows Powershell Installation Package

dsacls

DsAcls is a free command-line utility provided by Microsoft that can be used to view and change security permissions on Active Directory objects.

For all practical purposes, it is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in Active Directory tools, such as Active Directory Users and Computers.

It can be used to view the DACL of any Active Directory object. It can also be used to add a new permission or remove an existing permission from an Active Directory object.

Tip: If you are looking for a tool that can help you find out who all has permissions in Active Directory, or where all a user or group has specific permissions in Active Directory, I've found the Gold Finger reporting tool for Active Directory to be the best one by far. We have been using to find out where all our Temp Admin groups have write-property permissions in our AD.

Here's a quick video of the super helpful Mirosoft-endorsed Gold Finger reporting solution for Active Directory -

In case the video above isn't clear enough, you can watch it on YouTube at - Active Directory Security Reporting/Audit Tool/Solution

+ Pros: Free, Can be used to view and modify the security permissions on a single Active Directory object

- Cons: Cannot be used to identify where all a user/group might have permissions in Active Directory

dsrevoke

Dsrevoke is a command-line tool that can be used to identify the location of all permissions that may be specified for a specific user or group in a domain. It can also be used to remove all permissions specified for a particular user or group on OU objects as long as they are explicit in nature.

It is was primarily provided by Microsoft to complement the functionality provided by Microsoft's Delegation of Control Wizard, which can be accessed from the Microsoft Active Directory Users and Computers (ADU&C) Snap-in and which is used to delegate administrative authority.

dsrevoke complements ADU&C by providing the ability to revoke delegated administrative authority. If you are looking to find out where all a user or group has permissions though, you'd be better off using Gold Finger instead as it could help scour your entire domain or any OU for permissions granted to any user/group in no time.

+ Pros: Free, Can be used to find out where all a user or group has permissions specified in AD OUs

- Cons: Severely limited in its ability to find out where else a user/group has permissions, and/or identify where all a user/group has what type of permissions

LDP.exe for Active Directory

Microsoft also provides a free Windows 2000 Support Tools utility called LDP.exe which can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given specific search criteria.

LDP can be used to perform advanced LDAP queries against Active Directory, use a variety of LDAP controls, specify advanced connection, binding and search result options and view objects, object meta-data and raw Security Descriptors as well.

One advantage of LDP is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can be used to specify and execute any valid LDAP query and thus generate reports which are more advanced than those generated via the standard Administrative MMC tools provided by Microsoft Windows Server. It can be used to generate advanced time-based reports as well but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Tip: I first looked for ldp in the hope of being able to find which users have restricted logon hours specified in our AD. Unfortunately, I could not do so with LDP, since analyzing logon-hours takes a bit more work. I however came across the Gold Finger reporting tool for AD, and finding out who has specific logon-hours specified has been a breeze with it. (Gold Finger is a nifty AD reporting tool with over 200 built-in reports including resultant-set-of-permissions reports.) I would highly recommend trying it out, espcecially if you're pressed for time, and need a quick way to run security reports in AD.

All in all, its a good tool to have and use if you want to look under the hood of your Active Directory.

+ Pros: Free, Can be used for advanced LDAP querying and basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon)

Standard Microsoft Active Directory Management Tools

Microsoft Windows Server ships with a standard set of Microsoft Management Console (MMC) Snap-Ins that can be used to manage various aspects of Active Directory, including managing your OU hierarchy, implement your delegation model, and create, modify and manage the life-cycle of user accounts and security groups.

There are four MMC Snap-Ins that can help you manage various aspects of AD -

Active Directory Users and Computers Snap-In - This MMC snap-in, also know as ADU&C is the main tool used to create and manage your Active Directory hierarchy, create and delete OUs and Containers, and create and manager user accounts, security groups and other IT resources.
Active Directory Domains and Trusts Snap-In - This snap-in is used to establish, configure and manage trust relationships between various domains and forests. You can use it to create short-cut trust relationships, external trust relationships, and cross-forest trust-relationships as well.
Active Directory Sites and Services Snap-In - This snap--in is used to define, configure and maintain Active Directory sites, subnets, site-to-subnet mappings and perform other tasks related to site and subnet management.
ADSIEdit.msc - This is a special and very handy snap-in that can be used to access and edit all attributes of all objects in Active Directory. It is particularly helpful if you wish to make modification to uncommon attributes, and or create a new object of any of the classes defined in the Schema.

If you're an IT administrator responsible for AD management, then you probably already know about the common set of administrative tools that ship with Windows Server, but nonetheless, thought of mentioning them here for anyone starting out in AD administration.

+ Pros: Free, Come with Windows, Can be used for AD management, Good for Basic Search and Reporting

- Cons: Very limited in their ability to generate advanced and/or custom management and security reports

# Download Point: To install these tools, you need to download and install the Windows Server 2003 Administration Tools Pack