What do you want from an AD permissions reporting tool?

August 26, 2013 — 18 Comments

As mentioned in a previous post, I’m currently working on an Active Directory permissions reporting tool and I just wanted to get some feedback from you guys on which features you’d like me to make a priority for the first release.

EDIT: It seems there is a bit of confusion as to what exactly this program is for – this program is for reporting on permissions assigned to actual AD objects such as OUs, user accounts, groups, etc. So for example you might use it to see who has permission to reset passwords on all user accounts in a particular OU, or who has permission to modify a certain LDAP attribute on a user/computer account. I think a lot of people finding this page are actually looking for a tool that will report on permissions assigned to their folders – if that’s the case then I already have a tool for that, which you can find here: NTFS Permissions Reporter

There are some features that I know I need to include in the first version, such as filtering capabilities that allow you to only find permissions on certain types of objects or only permissions that match certain criteria (i.e. a certain group is used in the permissions, the permissions are not inherited, etc etc). Then there are other features that I want to include but that will take some time to implement, so I’d love to hear from you guys which ones you would rather I spent my time on now to get them in the initial release and which can wait until the next version. I know in an ideal world the first version of this tool would have every single one of these features, but in reality this would take a long time and I think its better to get the most useful features implemented now and get the tool out there so you can start using it, then add the additional “nice to have” features over the next few version updates.

So if you guys could take a look at the list below and either comment here or send me an email explaining which features you think deserve to be in the first version, I’d really appreciate it. Of course being an IT system admin myself for several years I have my own thoughts on which features would be most useful, but I just want to see if everyone else feels the same – and if you all would rather I spent time on a certain feature that I didn’t think would be that useful then I’m happy to oblige and make that a priority. So this is your chance to directly influence what makes it into the finished product.

Here’s the list of items I’m already thinking about and I’d like to hear which are most important to you (if you have some suggestions that aren’t already on that list then feel free to mention them as well). Please remember this is about prioritising them, not just saying yes to all of them Winking smile

  • Advanced Filtering  – As I mentioned, some form of filtering will definitely be included but this advanced filtering feature would provide very granular filtering that lets you include/exclude permissions from the report based on all aspects of the permissions and the object they’re on. Remember that more power/flexibility also means more complexity, so if granular filtering is included then would you like to see “quick filters” (like in my NTFS Permissions Reporter) that give you simple options for common filtering options? Do you think it is important to be able to easily share filters with colleagues?
  • Command Line Automation – This would enable you to produce AD permissions reports from a scheduled task or script, with the report either being directly exported to file or emailed to you. As with most of my tools, you wouldn’t need to figure out any complex command line arguments as you’d just configure your settings in the GUI and then export them to XML file for the command line module to load in.
  • ADPR Format Export – This would be a custom file format that you could export results to, that you could then load back in to AD Permissions Reporter at a later date to view like any other results.
  • Comparing Reports – This would allow you to select 2 reports that you exported previously and see which permissions have been added or removed between them (this would require the ADPR format export option mentioned in the previous point).
  • Expanding Group Membership – If a group is used in the permissions on an AD object, this would show the members of each group in the report results. Optionally getting nested group membership as well. Is this important to you or would you rather just see a more compact report that only showed the group names and then you can look up who’s a member of those groups yourself if required from AD Users & Computers?
  • Option To Show Effective Permissions – This is a tricky one… both in terms of the amount of work it would be to implement but also in defining exactly what people expect when they say they want to see “effective permissions”. My definition of effective permissions in this context is that it means the program should take all of the permission rules on an object into account, instead of just showing them all separately e.g if a user is explicitly granted permission to do something but they are also a member of a group that is denied permission to do that, then their “effective permission” is that they are denied the permission, so that’s what the program should show (instead of showing both the user’s “Allow” permissions entry and a separate “Deny” entry for the group). This is simple when you’re talking about doing this for one user against one AD object, but how would you expect this to be displayed in a report of all permissions on all AD objects (assuming no filter was specified) ? Would you rather have a completely separate part of the tool that let you gather a effective permissions  for specified users against a specific AD object or would you rather this was built in to the report results (so for every user or group that was directly used in the permissions for each object you’d see their effective permissions instead of their individual permission entries). Or perhaps you think its important to have both options (or have a better idea for how to handle this) ?
  • Presentation Options – Is it important to you to have the results displayed in both a tree format (i.e. OUs with permissions entries and child objects underneath them) and table format or would you only use one view (and if so, which) ?
  • Export Options  – Similarly to the previous point, do you need to export the results in a tree format as well as a table format? Are there any particular file formats (CSV, HTML, XLSX, etc) you think are more important than others?
  • Context Menu In AD Users & Computers – This would allow you to right click on any OU in the AD Users & Computers console and select “Report permissions” to automatically launch my program and have it start reporting the permissions for that OU and all sub OUs.
  • Custom LDAP Root – This would let you enter any LDAP path to have the report use as its starting point, allowing you to report on permissions in other AD partitions such as the Configuration partition or Schema partition.
  • SQL Support – The ability to export report results to an SQL database and load them back in to the program from there at a later date.
  • Customisable Details For Accounts In Results – By default any users (or groups or computer accounts) used in permissions would just show their name and some basic information such as whether or not they are disabled, their SID, etc. But this feature would allow you to specify any LDAP attribute you wanted to also be included with the results for each user/group/computer.
  • Viewing Owners  – Do you think it is important to be able to see who is set as the Owner of each AD object that is included in your report results?

 

Keen to hear which you think are most important and also if anyone has any other good ideas for useful features (big or small) please let me know.

Thanks

Chris

18 responses to What do you want from an AD permissions reporting tool?

  1. 

    HI Chris,
    The big ticket items that i can see are:
    – Context Menu in AD – just due to ease of use (I would use it far more often)
    – Export options – Something that will be easy to view, and preferably with expanding/colapsing javascript all within the one file so it can be transported easily.
    Good use of colour will help read the report.
    – Advanced filtering – Remove inherited objects, etc which you have already covered.

    The other stuff sounds great but not a necessity.
    Cheers,
    Ivan

  2. 

    Hi Chris

    Any news on when you will have a Beta out? It is something we could really do with at the moment!

    • 

      I don’t have a date yet, but the sooner people let me know which features they think are important, the sooner the BETA will be out ;)

  3. 

    I have found MS tool LIZA not eye friendly; and therefore unusable for my needs. We have interns and level 1 users come and go; so a feature to see what a specific user has rights too would be nice. Sooner the better for this tool!!! :-)

    • 

      Yeah I’ve looked at that LIZA tool before and agree it is not very user friendly at all and doesn’t really allow for the kind of report generation that most people want. I don’t think it is made by MS though, I think they just mention it in one of their technet articles. Yes in my tool you would be able to set it to find only objects in AD where a specific user has been used in the permissions (either directly or via group membership) :) I guess that is the most important feature for you? Are there any others on the list in this blog post that you think would be important to you?

  4. 

    Chris,

    Beyond the basics you mentioned of including in the first version, I’d vote for the following priorities:
    -Custom LDAP Root (we manage multiple domains, so it’s nice to be able to specify this and not have to hop between domains via RDP sessions to different machines)
    -Comparing Reports (especially if combined with any sort of scheduling/automation)
    -Command Line Automation

    Presentation Options: I always prefer a tree format for permissions, but I also think some of the table outputs you’ve built into other products work fine as well. They have to be easier to code, I’m guessing.

    Export Options: 99% of the time I just want a CSV. Occasionally a nicely formatted .html or PDF output is handy, but most of the time when I work on stuff like this I’m just wanting a CSV.

    This tool sounds incredibly useful. I look forward to using it!

    • 

      Thanks a lot for the feedback :) Even without the custom LDAP root option you’d still be able to point the tool at different domains – the custom LDAP path would just give you the ability to report permissions on other partitions in Active Directory, such as the Configuration or Schema partitions. I doubt many people would want to do this but to be honest its something that should be very easy to implement so I’ll probably end up adding it anyway.
      When you say the report comparison feature would be more useful if command line automation was included, what exactly do you mean? I didn’t think people would really want to schedule report comparisons – could you maybe explain the scenario you’re thinking of using this automation for?

  5. 

    Hi Chris,

    I am really looking forward to seeing this tool as I have many sites that want to confirm that the ‘restricted’ delegated rights they are applying in GPO’s is in fact what the user is getting.
    Your “Option To Show Effective Permissions” sounds like this is what is going to report on this, but I would like to know if it is possible to ‘drill down’ on each permissions to then find out how the permission is being applied. (eg: the Deny All is coming from the ‘Default Domain Policy’ – or Full Access is coming from ‘builtin/Administrators)
    I hope that makes sense, having the effective permissions is good, but being able to figure our why a user can/cannot do a task is even better.
    Thanks for all the great software

    TdR

    • 

      Hi Tony,

      I’m a bit confused by your question – how exactly are they applying permissions to AD objects from GPOs? I don’t think that’s possible. Perhaps you’re talking about something else like the Delegation wizard in AD Users & Computers. Can you clarify exactly what you mean and how they are settings these permissions?

      Thanks
      Chris

  6. 

    One of the things that keep popping up in HIPAA report requests is weekly reports on failed login attempts by non or ex employees to track hacking or penetration attempts. and off hours logins to track if employees are trying to steal information. The dont really need to be fancy just user ids, attempts/successes/failures time etc. I know your tool is a lot more involved than that but, this is they type of easy reporting we need and cant find anyplace in an easy to use affordable package.

    • 

      Hi Danny,

      Well that’s not something that this tool would be able to show you, as this is a tool for reporting on permissions on objects in AD (i.e. the permissions that determine which users and groups can perform which actions on other items in AD, such as a user being allowed to reset another user’s password or delete objects within an OU, etc etc).

      I guess the only place that the kind of information you’re after is stored is in the event logs on your DCs (only if you’ve enabled logon auditing). You could try using the MS tool EventComb to grab the relevant event IDs from each of your DCs and just review them each week.

  7. 

    Can you include Security Permissions change alert e-mail. If the user or group permissions on a particular folder is changed an e-mail is sent to specified users. If someone is added to a group or deleted from a group an e-mail is sent to specified users.

    • 

      I’m afraid not as neither of those features really fit in with what this tool is for. This tool is for reporting permissions on objects in Active Directory (such as OUs, user accounts, computer accounts, etc), it is not for reporting permissions on folders (I have a separate tool for that, called NTFS Permissions Reporter, which you can find here: http://www.cjwdev.co.uk/Software/NtfsReports/Info.html ). It is also not for showing you which users are members of a group (again another tool of mine can do that, AD Info: http://www.cjwdev.co.uk/Software/ADReportingTool/Info.html ).

      Having said that, AD Info cannot email you when a group is modified because this requires a very different system (it would need to parse event logs on your DCs, as that is the only place such changes get recorded). I’m considering making such a tool in the future for tracking changes in AD, but for now all I can suggest is you look at this one from Netwrix: http://www.netwrix.com/active_directory_auditing.html

  8. 

    I would be interested in automated reporting. We are hoping to export a report on a weekly/monthly basis so that department managers can go in and see what groups their users are in and for share owners to see who has access to their shares. Trying to automate as much of this report generation as possible.

    • 

      Hi Ken,

      Well if you’re just wanting reports of who has access to which shares/folders then one of my other tools will already do that (and it can show you who is a member of each group used in the permissions) – its called NTFS Permissions Reporter and you can find more info here: http://www.cjwdev.co.uk/Software/NtfsReports/Info.html (it does support command line automation and emailing results).

      This new tool that I’m making, AD Permissions Reporter, is for reporting on the security on the AD objects themselves (user accounts, OUs, groups, etc). So you would be able to see who has permission to reset user’s passwords in a certain OU etc.

      Thanks
      Chris

  9. 

    I think one feature I would like my team to have, is the ability to see what changed since the last scan. A change timeline.

    • 

      Yeah the “Compare Reports” feature I mentioned in this post would let you do that. I recently implemented a similar feature in my NTFS Permissions Reporter tool so I’ll try and get something similar done for the AD Permissions Reporter. I just hope people realise that this is not going to be able to tell you who changed something or when – if you need that kind of information then you will need to enable AD object access auditing in your domain security policy and then fish through the event logs on your DCs (or use a third part program to parse them and make it easier)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s