Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Tools
| Overview | What To Audit in Active Directory | Top-100 Security Audit Reports | How to Audit Security |



Top-100 Active Directory Security Audit Reports


The following is a list of the Top-100 Active Directory security reports to include in an security/compliance audit –

#ReportType
User Account Management Reports
1.List of all domain user accountsSecurity Report
2.List of all recently commissioned domain user accounts
(i.e. accounts that were created in the last 30 days)
Security Report
3.List of all recently de-commissioned domain user accounts
(i.e. accounts that were deleted in the last 30 days)
Security Report
4.List of all active domain user accounts
(i.e. accounts that have logged on at least once in the last 180 days)
Security Report
5.List of all inactive domain user accounts
(i.e. accounts that have not logged on even once in the last 180 days)
Security Report
6.List of all unused domain user accounts
(i.e. accounts that have never logged on)
Security Report
7.List of all disabled domain user accountsSecurity Report
8.List of all privileged domain user accounts
(i.e. accounts that possess administrative privilege)
Security Report
9.List of all domain user accounts that do not have an expiration dateSecurity Report
10.List of all domain user accounts that do not require passwords to logonSecurity Report
11.List of all domain user accounts whose passwords never expireSecurity Report
12.List of all domain user accounts whose passwords have not changed in the last 60 daysSecurity Report
13.List of all domain user accounts that are sensitive and cannot be delegatedSecurity Report
14.List of all domain user accounts whose password might be too old
(i.e. accounts who password has not changed in the last 60 days)
Security Report
15.List of all unmanaged domain user accounts
(i.e. accounts for whom a manager is not specified)
Security Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

16.Who can create domain user accounts? Access Report
17.Who can delete domain user accounts? Access Report
18.Who can reset user account passwords? Access Report
19.Who can disable/enable user accounts? Access Report
20.Who can unlock locked user accounts? Access Report
21.Who can change the expiration date of user accounts? Access Report
22.Who can disable/enable the requirement of a smart card for interactive logon by user accounts? Access Report
23.Who can force users to change their user account passwords at next logon? Access Report
24.Who can prevent users from changing their user account passwords? Access Report
25.Who can change the logon name of user accounts? Access Report
26.Who can change the logon hours of user accounts? Access Report
27.Who can change the logon workstations of user accounts? Access Report
28.Who can change the logon script for user accounts? Access Report
29.Who can change whether or not user accounts are sensitive and cannot be delegated? Access Report
30.Who can change the security permissions protecting user accounts? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Computer Management Reports
31.List of all domain computer accounts Security Report
32.List of all domain controller accountsSecurity Report
33.List of all recently commissioned domain computer accounts
(i.e. computer accounts created in the last 30 days)
Security Report
34.List of all recently de-commissioned domain computer accounts
(i.e. computer accounts deleted in the last 30 days)
Security Report
35.List of all active domain computer accounts
(i.e. accounts that have logged on at least once in the last 180 days)
Security Report
36.List of all inactive (stale) domain computer accounts
(i.e. accounts that have not logged on even once in the last 180 days)
Security Report
37.List of all domain computer accounts that have never authenticated
(i.e. accounts that have never logged on)
Security Report
38.List of all disabled domain computer accounts Security Report
39.List of all domain computer accounts that are trusted for unconstrained delegation Security Report
40.List of all unmanaged domain computer accounts
(i.e. accounts for whom a manager is not specified)
Security Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

40.Who can create computer accounts*? Access Report
41.Who can delete computer accounts? Access Report
42.Who can reset computer accounts? Access Report
43.Who can disable/enable computer accounts? Access Report
44.Who can change the expiration date of computer accounts? Access Report
45.Who can change the computer name (Pre-Windows 2000) of computer accounts? Access Report
46.Who can change the DNS name of computer accounts? Access Report
47.Who can change the machine role of computer accounts? Access Report
48.Who can change the Service Principal Names (SPNs) of computer accounts? Access Report
49.Who can change the security permissions protecting computer accounts? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Security Group Management Reports
50.List of all security groups (and their type i.e. domain local, global etc.)Security Report
51.List of all administrative security groups (e.g. Enterprise Admins etc.)Security Report
52.List of all delegated administrative security groups
(e.g. groups used to delegate IT management in Active Directory)
Security Report
53.List of all recently commissioned security groups
(i.e. groups created in the last 30 days)
Security Report
54.List of all recently decommissioned security groups
(i.e. groups deleted in the last 30 days)
Security Report
55.List of all empty security groups (i.e. groups that have no members)Security Report
56.List of all large security groups (i.e. groups that have a large membership)Security Report
57.List of all nested security groups (i.e. groups that have groups as members)Security Report
58.List of all unmanaged security groups (i.e. for which manager is not specified)Security Report
59.Who can create security groups? Access Report
60.Who can delete security groups? Access Report
61.Who can change security group memberships? Access Report
62.Who can add/remove oneself to/from the membership of security groups? Access Report
63.Who can change security group scopes? Access Report
64.Who can change security group types? Access Report
65.Who can change the security permissions protecting security groups? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Organizational Unit Management Reports
66.List of all organizational unitsSecurity Report
67.List of all recently commissioned organizational units
(i.e. those that were created in the last 30 days)
Security Report
68.List of all recently de-commissioned organizational units
(i.e. those that were deleted in the last 30 days)
Security Report
69.List of all unmanaged organizational units
(i.e. for which a manager is not specified)
Security Report
70.List of all organizational unitsto which a group policy (GPO) is explicitly linkedSecurity Report
71.Who can create organizational units? Access Report
72.Who can delete organizational units? Access Report
73.Who can disable group policies linked to organizational units? Access Report
74.Who can change the precedence of group policies linked to organizational units? Access Report
75.Who can generate resultant set of policy (logging-mode) for users/computers in an organizational unit? Access Report
76.Who can generate resultant set of policy (planning-mode) for users/computers in an organizational unit? Access Report
77.Who can change the security permissions protecting organizational units? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Container Management Reports
78.List of all containersSecurity Report
79.List of all recently commissioned containers
(i.e. those that were created in the last 30 days)
Security Report
80.List of all recently de-commissioned containers
(i.e. those that were deleted in the last 30 days)
Security Report
81.List of all unmanaged containers
(i.e. for which a manager is not specified)
Security Report
82.Who can create containers? Access Report
83.Who can delete containers? Access Report
84.Who can change the security permissions protecting containers? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Group Policy Management Reports
85.List of all group policy objects (GPOs)Security Report
86.List of all recently commissioned group policy objects
(i.e. those that were created in the last 30 days)
Security Report
87.List of all recently de-commissioned group policy objects
(i.e. those that were deleted in the last 30 days)
Security Report
88.List of all disabled group policy objectsSecurity Report
89.Who can create group policy containers? Access Report
90.Who can delete group policy containers?Access Report
91.Who can change the security permissions protecting group policy containers? Access Report


Did you know that you can now generate these reports instantly?
You can, with Gold Finger from Paramount Defenses !
 
      Free Trial  

Service Connection Point Management Reports
92.List of all service connection pointsSecurity Report
93.List of all recently commissioned service connection points
(i.e. those that were created in the last 30 days)
Security Report
94.List of all recently de-commissioned service connection points
(i.e. those that were deleted in the last 30 days)
Security Report
95.List of all service connection points for which keywords are not specified Security Report
96.Who can create service connection points? Access Report
97.Who can delete service connection points?Access Report
98.Who can change the keywords of service connection points? Access Report
99.Who can change the binding information of service connection points? Access Report
100.Who can change the security permissions protecting service connection points? Access Report

COPYRIGHT NOTICE THE INFORMATION PRESENTED ON THIS WEBSITE IS COPYRIGHTED MATERIAL. NO PART OF THIS
INFORMATION MAY BE REPRODUCED UNLESS IT IS CLEARLY AND EXPLICITLY ACKNOWLEDGED THAT THIS WEBSITE IS
THE ORIGINAL SOURCE AND THAT A WORKING HYPER-LINK TO THIS WEBSITE IS PROVIDED.

Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
About Copyright ActiveDirSec.Com 2008 – 2011. All Rights Reserved Disclaimer
Active Directory Security Active Directory Reports Active Directory Reporting Tools Cyber Security and Global Security
Active Directory Audit Tool Active Directory Reporting Tool Active Directory Reporting Tools Active Directory Effective Permissions