Announcement

Collapse
No announcement yet.

Active Directory Reporting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Reporting

    Hello all,
    I was wondering if anyone had any ideas/ experiences/ direction on a good way to get some reporting information from Active directory. More specifically I would like to create an automated way to find out:
    • AD account Disabled for 90 days
    • Orphaned Mailboxes
    • AD account not logged in for 90 days
    • AD mailbox not logged in for 90 days


    I made some progress by using a script I found online to query all user account that havent logged in for 90 days, but the script use is a bunch of manual work and formatting.

    So any ideas or recommendations on the how abouts to accomplish this... I understand that 3rd party tools could probably do this and more, but as with most IT staff out there, I am looking for a free alternative.

    However if you know of a 3rd party software that can definitely do these things I would like to here a review.

    Thanks in advance.

  • #2
    Re: Active Directory Reporting

    Try ADPlus or Quest...
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: Active Directory Reporting

      Originally posted by kapilsharma11 View Post
      Try ADPlus or Quest...

      kapilsharma11,
      thanks for the response. I looked into what you recommended, and I am not sure that ADplus will assist in reporting on Active Directory objects, on microsofts website it looked like a tool to analyze application problems.. not sure how to make use of it for AD info.

      I also looked at Quest Reporter, and while it looked more along the lines of what I need, I didnt find much info on the product. Have you used it? Did it work well in any specific way?
      I am looking for mainly what I outlined in the topic post, do you know if it would work well with those kinds of reports? It appeared to be more security and baseline focused then querying custom info from AD.

      Comment


      • #4
        Re: Active Directory Reporting

        To find disabled account (90 days not sure) - adfind -list -rb -f "(&(objectcategory=user)(useraccountcontrol=51 4))" rdn

        To find account last logon time stamp -
        adfind -csv -tdcs -rb -f objectcategory=user lastlogontimestamp

        You can import the data in excel and short out for your needs.

        on Exchange, you can export the list from ESM and get it sorted out.

        Comment


        • #5
          Re: Active Directory Reporting

          Originally posted by balasat View Post
          To find disabled account (90 days not sure) - adfind -list -rb -f "(&(objectcategory=user)(useraccountcontrol=51 4))" rdn

          To find account last logon time stamp -
          adfind -csv -tdcs -rb -f objectcategory=user lastlogontimestamp

          You can import the data in excel and short out for your needs.

          on Exchange, you can export the list from ESM and get it sorted out.
          Balasat,
          Thanks! I havent yet tried ADFind. Will give your advise a shot. I have been playing with DSquery user -inactive command, but for some reason I cant get it to work, I can get other DSquery commands to work but not the -inactive option.
          Hopefully ADfind will give me what I need. I have been using ESM for last logon mailbox, but I have different mail stores, so I have to do a bunch of exports, then import all those exports into an excel spread sheet, then sort / format. Hoping to make it easier. (without scripting cause I am very bad at it).

          Also if anyone comes here with the same problem, Heres what my research has yielded so far:
          Tried using the Last Logon box of the Saved Queries in Active Directory - no luck there

          Broke down and tried a free demo of Script Logics Security Enterprise Reporter, while the setup and reporting went pretty smooth, it only works on the first 5000 objects (not just user accounts) it finds, so I wasnt able to get a good feel for how it would work, as the reports were missing some info I wanted

          Found ADSIomatic from the windows hey scripting guys, its based at educating you how to write ADSI scripts and dosent have much canned scripts. Seems to be the best free alternative is for me to learn ADSI scripting and or powershell.

          The end result is to be able to run an ADSI script to get the info needed from AD, put in a DB and then use DB queries to get the info needed, then make all of that turnkey or automated monthly/weekly.

          Comment

          Working...
          X