Beyond standard AD attributes, AD FastReporter includes several advanced reporting capabilities that handle complex scenarios — querying multiple domain controllers for accurate logon data, resolving nested group memberships, reporting on BitLocker recovery information, and including deleted objects. These features are what make AD FastReporter more useful than basic LDAP query tools or simple PowerShell scripts.
Some Active Directory attributes are not replicated between domain controllers. The most notable is lastLogon — each DC only stores the last logon time for authentications it handled directly. To get the true last logon time for a user, you need to query every DC and take the most recent value.
AD FastReporter does this automatically. When you include the Last Logon field in a report, AD FastReporter queries each accessible domain controller in the domain and returns the most recent value. This gives you accurate “last logon” data that a single LDAP query against one DC would miss.
If some domain controllers are unreachable during report generation (due to network issues, being offline, etc.), AD FastReporter still completes the report but adds a note in the report log warning that data from those DCs is missing. The results for the lastLogon field may be slightly less accurate in that case.
This is different from lastLogonTimestamp, which is replicated (with a delay of up to 14 days by default). AD FastReporter supports both fields — use lastLogon when you need precision, and lastLogonTimestamp when you need speed and don’t mind the replication delay.
Standard AD queries return only direct group memberships — the groups a user is explicitly a member of. AD FastReporter can resolve the full membership chain by walking nested groups recursively:
Direct memberships — Groups the user is a direct member of (the memberOf attribute).
Inherited memberships — Groups the user belongs to indirectly through nested group membership. For example, if User A is in Group X, and Group X is in Group Y, then User A has an inherited membership in Group Y.
Membership by type — AD FastReporter can break memberships down by group type: security groups only, distribution groups only.
Membership by scope — Memberships can also be filtered by group scope: domain local, global, or universal.
Member count — Both direct and total (including inherited) member counts are available as fields.
These calculated membership fields involve significant processing — AD FastReporter builds a group membership cache during report generation to resolve the chains efficiently. Reports that include inherited membership fields will take longer than reports using only direct memberships.
AD FastReporter can report on BitLocker recovery keys stored in Active Directory. When BitLocker is configured to back up recovery information to AD, the data is stored as child objects under each computer account. AD FastReporter reads these objects and exposes them as fields on computer reports:
| Field | Description |
|---|---|
| BitLocker Password ID | The identifier for the recovery password |
| BitLocker Recovery Key | The actual recovery key value |
| BitLocker Volume Name | The name of the encrypted volume |
These fields require appropriate AD permissions — specifically, read access to msFVE-RecoveryPassword objects under computer accounts. Standard domain user accounts typically do not have this access; it usually requires delegated permissions or Domain Admin rights.
BitLocker fields appear in the Computer report category’s field list.
If your Active Directory has the Recycle Bin feature enabled (available in Windows Server 2008 R2 and later at the appropriate forest functional level), AD FastReporter can include deleted objects in reports.
When reporting with deleted objects enabled, AD FastReporter uses the isDeleted attribute to identify objects that have been deleted but not yet purged from the Recycle Bin. This is useful for:
Deleted object reporting is controlled per-connection or per-report and adds an (isDeleted=TRUE) filter to the LDAP query.
Many of AD FastReporter’s most useful fields are not stored directly in Active Directory — they’re calculated from one or more raw AD attributes during report generation. Some notable calculated fields:
Days Since Last Logon — Calculates the number of days between the last logon date and today, making it easy to filter and sort by inactivity. This is more intuitive than comparing raw timestamps.
Has Admin Privileges — Checks whether a user is a member of well-known administrative groups (Domain Admins, Enterprise Admins, etc.) and returns a true/false value.
NIS2 Review Required — Flags accounts that meet criteria for mandatory NIS2 compliance review.
Account Expiry (days) — Calculates days until account expiration.
Password Expiry — Calculates the password expiration date based on the domain’s password policy and the user’s pwdLastSet value.
Must Change Password at Next Logon — Derived from the pwdLastSet attribute (value of 0 means the user must change their password).
Is Domain Controller — Identifies whether a computer account is a domain controller.
Has Photo — Checks whether the user has a photo stored in the thumbnailPhoto attribute.
Has GPO Linked — For OUs, checks whether any GPO is linked to the organizational unit.
Child Counts — For OUs: counts the number of child users, computers, and groups directly contained in the OU. These require an additional query per OU.
GPO Link Resolution — For GPOs: resolves which OUs, sites, and domains have the GPO linked by querying gPLink attributes across the entire directory structure.
Manager Properties — For users: resolves the manager attribute to show the manager’s display name, description, and account type, without requiring a separate report.
Calculated fields are processed locally after the LDAP results are retrieved from the domain controller. This means they don’t speed up the LDAP query itself, but they save significant manual effort compared to calculating these values yourself.
If your organization uses on-premises Exchange Server (which extends the AD schema with msExch* attributes), AD FastReporter can report on Exchange-specific properties:
These appear in the Exchange report category but some fields are also available for User reports when the Exchange schema extensions are present.