Forest Level Reporting With Active Directory Reporting Tool

Forests are at the top of the Active Directory hierarchy. Forests comprise within themselves one or more domain trees (independent or interdependent) administered by a common schema. Usually a networking infrastructure contains in it a Forest at the top level. The objects within the Forests are controlled by the Forest Root Domain, created initially when the Active Directory is installed for the first time. With companies operating across geographies, the Active Directory has expanded rapidly resulting in the Forests’ topology becoming increasingly complex. To administer an Active Directory infrastructure with multiple forests spread across geographies is no easy task. Imagine the volume of data that would be generated or the number of individual entities that have to be looked at.

Admin Report Kit for Active Directory (ARKAD) has in it numerous out-of-the-box reports that present a bird’s eye view of the Active Directory topology at a Forest Level. Through these reports, ARKAD allows administrators to generate reports across multiple domains and take stock of the entire forest.

Domain Reports-Forest Level:

Domain Reports at a Forest level gives information about the various properties of domains within a forest. The domain controllers within the respective domains and the trust relationships (trusting or trusted) prevailing between them are also reported. The administrator corresponding to each domain, their permissions and the security settings are some of the other significant information reported at a forest level. Auditing information corresponding to the changes made within the domain can be viewed under ‘Auditing’ report. The Group Policy report gives information about the group policies that are applicable to the corresponding domains. The ‘Delegated Permissions’ report gives an insight on the users with their delegated tasks within the domain.

Site Reports-Forest Level:

Site Reports at a Forest level provides configuration settings corresponding to sites within a forest. The location of the sites and their created and modified dates are reported in the ‘Location’ and ‘Object’ reports respectively. The ‘Security’ and ‘Auditing’ reports give information about the permissions associated with the sites and their auditing information respectively. The Group Policy Objects linked to the corresponding sites is reported in the ‘Group Policy’ report. The ‘Delegated Permissions’ reports users with delegated tasks within the sites.

Group Reports-Forest level:

Forest Level Group Reports provide information about various group settings corresponding to groups within a forest. Information about the members within the groups and the membership details of groups themselves are reported in ‘Member’ and ‘Member Of’ reports corresponding to the Forest. The created date and modified date values and details of the administrators managing the groups are also displayed. The Permissions associated with the members of the group and the auditing information are other relevant information reported. The ‘Deleted Object’ report displays information on the groups recently deleted.

User Reports-Forest Level:

Forest Level User reports enumerate the Users and their account information associated with the domains within a forest. The User display names, address, account details, profile path, telephone numbers, organization and position related details are effectively reported. The users’ membership details are also reported. Created Date and Modified date field values are displayed. The Permissions granted, their type along with the auditing information is retrieved in the ‘Security’ and ‘Permissions’ reports. The Last logon date of the corresponding user account and other relevant information such as Password Last Set date, Password expiration date etc. are reported in the ‘Additional Account Info’ report. The Password Settings Objects policies (applicable to Windows 2008 Domain Controllers) defined for users within the forest and the precedence level of such policies can be viewed under ‘Effective PSO (Win 2008)’. The deleted user accounts within the forest are reported under ‘Deleted Objects’ report.

Contacts reports-Forest Level:

Contact reports are similar to the User reports and display information about the Contacts corresponding to the forest. The Contact information such as display names, address, telephone numbers, organization and position held are some of the relevant information reported. The Membership details of contacts are also reported. The Created Date and Modified date values are some of the other significant information reported in ‘Object’ report. The Permissions defined against the Contacts and the auditing information are displayed under ‘Security’ and ‘Auditing’ reports. The information about deleted contacts and their last known parent are reported in ‘Deleted Objects’ report.

Group Policy Object reports-Forest Level:

Group Policy Objects reports display information about the various Grouped Policy Objects within the forest. The details of Group Policy Objects linked with various objects within the forest are reported under ‘Links’ report. The objects that are connected to various GPOs and the corresponding details are reported in the ‘SOM Links’ report. The Security settings corresponding to each object, auditing information associated and related comments are retrieved for the administrator through the ‘Security Filtering’, ‘Security’ and ‘Auditing’ reports. ‘Deleted Objects’ reports deleted Group Policy Object corresponding to the forest.

Consider an example where the administrator wishes to generate a report on Trust relationships across various domains within a forest. Generating this report manually would be a cumbersome process.

Lets see how ARKAD does this with considerable ease. The following screenshot shows the Trust Relationship across domains within a forest.