As mentioned in a previous post, I’m currently working on an Active Directory permissions reporting tool and I just wanted to get some feedback from you guys on which features you’d like me to make a priority for the first release.
EDIT: It seems there is a bit of confusion as to what exactly this program is for – this program is for reporting on permissions assigned to actual AD objects such as OUs, user accounts, groups, etc. So for example you might use it to see who has permission to reset passwords on all user accounts in a particular OU, or who has permission to modify a certain LDAP attribute on a user/computer account. I think a lot of people finding this page are actually looking for a tool that will report on permissions assigned to their folders – if that’s the case then I already have a tool for that, which you can find here: NTFS Permissions Reporter
There are some features that I know I need to include in the first version, such as filtering capabilities that allow you to only find permissions on certain types of objects or only permissions that match certain criteria (i.e. a certain group is used in the permissions, the permissions are not inherited, etc etc). Then there are other features that I want to include but that will take some time to implement, so I’d love to hear from you guys which ones you would rather I spent my time on now to get them in the initial release and which can wait until the next version. I know in an ideal world the first version of this tool would have every single one of these features, but in reality this would take a long time and I think its better to get the most useful features implemented now and get the tool out there so you can start using it, then add the additional “nice to have” features over the next few version updates.
So if you guys could take a look at the list below and either comment here or send me an email explaining which features you think deserve to be in the first version, I’d really appreciate it. Of course being an IT system admin myself for several years I have my own thoughts on which features would be most useful, but I just want to see if everyone else feels the same – and if you all would rather I spent time on a certain feature that I didn’t think would be that useful then I’m happy to oblige and make that a priority. So this is your chance to directly influence what makes it into the finished product.
Here’s the list of items I’m already thinking about and I’d like to hear which are most important to you (if you have some suggestions that aren’t already on that list then feel free to mention them as well). Please remember this is about prioritising them, not just saying yes to all of them
- Advanced Filtering – As I mentioned, some form of filtering will definitely be included but this advanced filtering feature would provide very granular filtering that lets you include/exclude permissions from the report based on all aspects of the permissions and the object they’re on. Remember that more power/flexibility also means more complexity, so if granular filtering is included then would you like to see “quick filters” (like in my NTFS Permissions Reporter) that give you simple options for common filtering options? Do you think it is important to be able to easily share filters with colleagues?
- Command Line Automation – This would enable you to produce AD permissions reports from a scheduled task or script, with the report either being directly exported to file or emailed to you. As with most of my tools, you wouldn’t need to figure out any complex command line arguments as you’d just configure your settings in the GUI and then export them to XML file for the command line module to load in.
- ADPR Format Export – This would be a custom file format that you could export results to, that you could then load back in to AD Permissions Reporter at a later date to view like any other results.
- Comparing Reports – This would allow you to select 2 reports that you exported previously and see which permissions have been added or removed between them (this would require the ADPR format export option mentioned in the previous point).
- Expanding Group Membership – If a group is used in the permissions on an AD object, this would show the members of each group in the report results. Optionally getting nested group membership as well. Is this important to you or would you rather just see a more compact report that only showed the group names and then you can look up who’s a member of those groups yourself if required from AD Users & Computers?
- Option To Show Effective Permissions – This is a tricky one… both in terms of the amount of work it would be to implement but also in defining exactly what people expect when they say they want to see “effective permissions”. My definition of effective permissions in this context is that it means the program should take all of the permission rules on an object into account, instead of just showing them all separately e.g if a user is explicitly granted permission to do something but they are also a member of a group that is denied permission to do that, then their “effective permission” is that they are denied the permission, so that’s what the program should show (instead of showing both the user’s “Allow” permissions entry and a separate “Deny” entry for the group). This is simple when you’re talking about doing this for one user against one AD object, but how would you expect this to be displayed in a report of all permissions on all AD objects (assuming no filter was specified) ? Would you rather have a completely separate part of the tool that let you gather a effective permissions for specified users against a specific AD object or would you rather this was built in to the report results (so for every user or group that was directly used in the permissions for each object you’d see their effective permissions instead of their individual permission entries). Or perhaps you think its important to have both options (or have a better idea for how to handle this) ?
- Presentation Options – Is it important to you to have the results displayed in both a tree format (i.e. OUs with permissions entries and child objects underneath them) and table format or would you only use one view (and if so, which) ?
- Export Options – Similarly to the previous point, do you need to export the results in a tree format as well as a table format? Are there any particular file formats (CSV, HTML, XLSX, etc) you think are more important than others?
- Context Menu In AD Users & Computers – This would allow you to right click on any OU in the AD Users & Computers console and select “Report permissions” to automatically launch my program and have it start reporting the permissions for that OU and all sub OUs.
- Custom LDAP Root – This would let you enter any LDAP path to have the report use as its starting point, allowing you to report on permissions in other AD partitions such as the Configuration partition or Schema partition.
- SQL Support – The ability to export report results to an SQL database and load them back in to the program from there at a later date.
- Customisable Details For Accounts In Results – By default any users (or groups or computer accounts) used in permissions would just show their name and some basic information such as whether or not they are disabled, their SID, etc. But this feature would allow you to specify any LDAP attribute you wanted to also be included with the results for each user/group/computer.
- Viewing Owners – Do you think it is important to be able to see who is set as the Owner of each AD object that is included in your report results?
Keen to hear which you think are most important and also if anyone has any other good ideas for useful features (big or small) please let me know.