Windows Powershell

The Windows Powershell from Microsoft is a free extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language.

It is NOT (repeat it is not) a TOOL.

It is an automation engine that relies on the Microsoft .NET Framework and involves the execution of cmdlets which are basically specialized .NET classes which implement specific operations.

It can however be used to perform a variety of functions on the Windows Platform. It can also be used to query data from Active Directory and to perform common day-to-day aspects of AD management.

One advantage of using Powershell is that it makes it easy for IT admins to derive greater value out of their efforts in scripting so they can automate (at least parts of) common day-to-day IT management and reporting tasks. It also lets IT admins leverage the work of other admins as these scripts can be shared with the community.

The disadvantage of PowerShell is that it relies largely on the development of scripts and even though it makes it easier to derive greater value from scripts, it certainly leaves the possibility of human error. It also takes additional effort to generate reports that are in a presentable fashion and decent enough for submission for any audit or as regulatory compliance evidence.

In my research, I have found that the disadvantages of PowerShell can be made up with a good Active Directory Audit/Reporting Tool. However, there are many Active Directory reporting tools out there and it is difficult to select one that's right for you. In case it helps, I've found the best collection of Active Directory security tools here.

+ Pros: Free, Can be used to simply day-to-day IT management tasks and perform basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon), Relies on scripts which can be prone to human-error, Relies on executing code written by someone else in a trusted environment

# Download Point: To install Powershell, you need to download and install the Windows Powershell Installation Package

Summary: PowerShell for Windows is very powerful and certainly help automate basic Active Directory reporting needs. However, there are still some things that are very difficult to do with PowerShell, such as how to correctly audit Active Directory permissions.

LDP.exe for Active Directory

Microsoft also provides a free Windows 2000 Support Tools utility called LDP.exe which can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given specific search criteria.

LDP can be used to perform advanced LDAP queries against Active Directory, use a variety of LDAP controls, specify advanced connection, binding and search result options and view objects, object meta-data and raw Security Descriptors as well.

LDP

One advantage of LDP is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can be used to specify and execute any valid LDAP query and thus generate reports which are more advanced than those generated via the standard Administrative MMC tools provided by Microsoft Windows Server. It can be used to generate advanced time-based reports as well but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Tip: I first looked for ldp in the hope of being able to find which users have restricted logon hours specified in our AD. Unfortunately, I could not do so with LDP, since analyzing logon-hours takes a bit more work.

All in all, its a good tool to have and use if you want to look under the hood of your Active Directory. Another helpful tool to consider if you need to perform advanced AD security analysis is this one.

+ Pros: Free, Can be used for advanced LDAP querying and basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon)

> Download: ldp.exe is a part of the Windows Server 2003 Service Pack 2 32-bit Support Tools set and can be downloaded from here.