How to pull Active Directory reports

Posted by AlbusBit on October 20, 2022 · 12 min read

The need for Active Directory reporting

Do you want to see what is happening in your Active Directory domain? Your manager is asking, "How many enabled users do we have in our domain?" Want to check if all former employees are disabled? Want to see what information is stored on your Active Directory domain?

Table of Contents

Why it's not that simple

These are usually questions to which we want to find answers quickly. We don't want to spend a lot of time writing PowerShell scripts, or, if we're not familiar with it yet, spend weeks learning it.

Active Directory contains a lot of information, so it can get overwhelming if that information is not categorized and translated to human-readable formats. For example, the value of the UserAccountControl attribute can contain multiple flags, each with its own meaning. A hexadecimal value of 0x0202 indicates that this is a normal user and the account is disabled. It would not be normal for you to have to decode each of these values yourself to understand what is in them. You can view all the flags and their values here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties. And there are many such attributes whose values are not simply textual or boolean.

Sometimes you do not have administrative privileges to get access to the Windows Server built-in tools to even see this data.

How do I get these reports fast?

Active Directory data can be read using the LDAP protocol and the Windows API. On the internet, you can find a handful of tools that take advantage of these methods. Half of them were developed more than 20 years ago and have not been updated for many years. The other big part is only a part of big, expensive all-in products.

There is one tool that has been built to answer our question: how to pull Active Directory reports. AD FastReporter is lightweight and can generate your Active Directory reports in a couple of seconds.

We have prepared a test environment with Active Directory and 130,000 user objects. It's a bit old, Windows Server 2012 R2, but that doesn't change the point. It also works with the latest Windows Server 2022. Let's see how we can quickly generate some basic reports and export them.

How to get all users from your AD domain and export to Excel

First, download the free version from the website here. You can safely install AD FastReporter Free on your workstation; you don't need to install it on a server, and we don't even recommend it. It should look like this when you run it. You can safely install AD FastReporter Free on your workstation; you don't need to install it on a server, and we don't even recommend it. It should look like this when you run it.

On the left, you can see the full list of built-in report forms. Under "Generic", select the "All users" report form. You can add any field you need from the list of available fields.

When all the necessary fields have been added, press Generate, and depending on the number of added fields and the number of objects in your domain, the report will be ready within a few seconds to several minutes. In our example, it took 36 seconds.

Unfortunately, it is not possible to export with the Free version, but here we can see the data in this table view.

To export the report to CSV, Excel (XLSX), and HTML formats, you can purchase the Pro version.

Exporting is simple: press "Export" and choose a format, and all visible data will be exported and saved to the file you specify. Here you can download an Excel export file of this exact report.

How to get all groups from your AD domain

Groups and their membership are an important part of Active Directory for easier management of resources and their permissions. Let's generate a quick overview of all the groups in our domain. We switch to the category "Groups" and select the report form "All groups."

We are adding additional fields to this report. Manager—to see who manages this group and if anyone manages it at all. Number of Members (All): to see a general picture of how many objects are in this group, including all inherited ones. If you need additional fields, then add more; the next step is to generate the report.

In our test domain, this report took 9 minutes and 25 seconds to generate, but that's because there are over 130,000 user objects. Here you can see a great overview of all the groups, how big they are, what their type is, and what they are used for.

Download the Excel export file from this report so you can see what it looks like.

How to get all computers

When you join a computer to an AD domain, an account is created in the domain for that computer. This allows the AD domain to configure, control, and authenticate it within that domain. It allows you to easily and quickly manage countless computers on your network. You can set everything from visual things to prohibiting storage devices from being connected to this computer.

That's why it's important to know what computers are in your AD domain and what their status is. Go to the category "Computers" and select the report form "All computers." We add some additional fields such as DNS name, OS version, and OS service pack. We can generate the report; in our test environment, it took 4 seconds with 30,000 computer objects.

Here you can view all the computers that have accounts in our test domain. An Excel export file is also available.

Create customized reports for your needs

Of course, the built-in reports will not be enough for you to fully audit your domain. Each company has its own policies, structures, and characteristics. Therefore, AD FastReporter Pro allows you to quickly and easily create custom report forms. You just specify the name and report category and create a custom filter that can have from one to several logical conditions (AND/OR).

Schedule your reports and receive them in your inbox

A good practice is to implement a weekly or monthly review of what has happened to your domains, such as new users that have been created in the last seven, 30, or 60 days. By doing this, you can detect and react to any errors or suspicious things more quickly.

AD FastReporter Pro allows you to create tasks that you can schedule using the Windows Task Scheduler. For each task, you can set the AD connection, report form, customize the visible fields, specify the export format and path, and specify the email notification type and recipients.

Conclusions

Active Directory reports are a good way to keep a pulse on your domain and stay informed about its status.

With the built-in tools, it is not so easy and fast to generate different reports, so we recommend you try third-party tools.

AD FastReporter Free is a great free Active Directory reporting tool that lets you get over 200 reports from your domain in seconds. Upgrade to the Pro version, and you can export all reports to Excel, create your own custom reports, and enjoy many more extra features.

An internal policy that determines how often it is necessary to generate and review AD reports is a very good practice that helps to quickly find and eliminate errors and suspicious activities.




Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA