<html>
<head>
<style type="text/css">
body { margin-top:0px; margin-bottom:20px; margin-left:20px; margin-right:20px; background-color:white;  }
p,ul,ol,li,dt,div,td,th,address,blockquote,nobr,b,i,input,textarea,button,select
     { font-family:Calibri,Verdana,Arial,sans-serif;
       margin-top:0;
       margin-bottom:10;
}
p.link
	{ margin-left: 20px;
	}
h1,h2,h3,h4 
	{ font-family:Calibri,Verdana,Arial,sans-serif; 
	}
a 
	{ font-family:Calibri,Verdana,Arial,sans-serif; 
	}
</style>
</head>
<body>


<h1>Angelo: Overview of AD configuration reports</h1>

<p>Environment: %DOM%</p>
<p>Report timestamp: %MyDate%</p>
<p>Report folder: %RepDir%</p>

<h2>1 General configuration and object data</h2>
<p>General information on the configuration of Active Directory and object data can be found in the <strong>Jos&eacute;</strong> reports. The following link opens Jos&eacute;'s report subfolder. Start with the Domain Metadata report and the Domain Info report for an overview including basic object statistics.</p>
LINK %RepDir%\Jose\Reports\

<p>AD replication is based on the AD site and subnet concept. View the latest <strong>Borg</strong> report for an overview of the site definition.</p>
LINK %RepDir%\Borg\Reports\

<p><strong>Domain Basic Data.txt</strong> compiles a set of basic information on the domain.</p>
LINK %RepDir%\Domain Basic Data.txt

<p>Each Domain Controller's configuration data is stored as a <strong>Cindy</strong> report. The following link opens the respective folder.</p>
LINK %RepDir%\DCConfig

<p>The CSV file <strong>DCData.txt</strong> lists basic OS and network configurations for all Domain Controllers.</p>
LINK %RepDir%\DCConfig\DCData.txt

<p>The file <strong>RIDPool.txt</strong> reveals how many security objects can still be created.</p>
LINK %RepDir%\RIDPool.txt

<p>The file <strong>Machine Account Quota.txt</strong> displays how many computer objects a user can create in AD if they are granted the privilege "Add computers to the domain". Review the Default Domain Controllers Policy to see who has got this privilege.</p>
LINK %RepDir%\Machine Account Quota.txt

<p><strong>DCs.txt</strong> lists each DC.</p>
LINK %RepDir%\DCs.txt

<p><strong>RODCs.txt</strong> lists Read-Only DCs.</p>
LINK %RepDir%\RODCs.txt

<p><strong>Default Objects.txt</strong> displays the names and DNs for some default objects in your environment as they may be language-dependent.</p>
LINK %RepDir%\Default Objects.txt

<p><strong>OU Objects.txt</strong> lists the OU structure along with a count of objects (users, computers, groups) in each OU. Open the report in Excel to view the OU hierachy.</p>
LINK %RepDir%\OU Objects.txt

<p><strong>Objects with SID History.txt</strong> contains a list of all objects that have SID History set because of a domain migration. You should try to clean up SID History as it can cause trouble in the long run.</p>
LINK %RepDir%\Objects with SID History.txt

<p><strong>CircularGroups.html</strong> contains a list of all groups that are part of circular nesting. Circular nesting means that groups are members of each other, forming a ring of membership. This leads to a number of problems so you should correct it. The list should be empty.</p>
LINK %RepDir%\CircularGroups.html

<p>A very detailed set of reports about group objects is stored in the subfolder <strong>GroupReport</strong>. The following link opens this folder.</p>
<p>Note: On a non-English computer you might have to open the CSV files with Excel's "Open" command and change the format settings (instead of just double-clicking it).</p>
LINK %RepDir%\GroupReport

<h2>2 Configuration health</h2>
<p>Three reports give an overview of general configuration health.</p>

<p><strong>DCDiag.txt</strong> lists the results of an all-DC DCDiag analysis. Search for "fail" (or, in German reports, search for "nicht") to quickly view any pecularities.</p>
LINK %RepDir%\DCDiag.txt

<p>Two <strong>DNSLint</strong> reports list details on the DNS integration for AD.</p>
LINK %RepDir%\dnslint.htm
LINK %RepDir%\DNSLint-Delegation.htm

<h2>3 Group Policy configuration</h2>
<p>Group Policy Objects are stored in multiple locations. See the latest <strong>Jos&eacute;</strong> report on Group Policy for GPO metadata and for GPO linkage information. Open any Jose report that includes GPOs and click on the GPO icon to view the settings in the GPOs.</p>
LINK %RepDir%\Jose\Reports

<p>Group Policy settings are stored inside the Group Policy Objects. See the <strong>complete GPMC report</strong> on Group policy. Note that this report is only available if either the GPMC scripts or the GPMC PowerShell command have successfully run.</p>
LINK %RepDir%\GPMC

<h2>4 Highly privileged objects</h2>
<p>There is a number of highly privileged objects in each AD environment. Angelo reports some defaults.</p>
<p>See the latest <strong>Jos&eacute;</strong> report on Builtin groups and Users groups.</p>
LINK %RepDir%\Jose\Reports

<p>The following reports contain detailed information on privileged objects.</p>
<p><strong>Admincount Objects.txt</strong> lists all objects with the adminCount attribute enabled. Those objects are (or have been) members of some protected groups.</p>
LINK %RepDir%\Admincount Objects.txt

<p><strong>Default Groups memberOf.txt</strong> displays group nesting for some critical default groups. Those groups usually should not be members in other groups.</p>
LINK %RepDir%\Default Groups memberOf.txt

<h2>5 Primary Groups</h2>
<p>Primary Groups are a mechanism for users to be member of groups that is completely separate from usual group membership. As the Primary Group mechanism was only designed for POSIX and Macintosh (pre-OS X) compatibility it should not be used in most environments. A user's Primary Group will not be displayed by simple group membership evaluation so it can easily be overlooked. </p>
<p>By default all users have a Primary Group of "Domain Users". As a rule, in most networks not a single user should have a different Primary Group.</p>

<p>The report <strong>Non-standard Primary Groups.txt</strong> lists all users with a non-default Primary Group, i.e. users whose primaryGroupID is different from 513 (Domain Users).</p>
LINK %RepDir%\Non-standard Primary Groups.txt

<p><strong>Primary Groups in Use.txt</strong> lists all Primary Groups that are in use (except for 513) along with their group ID.</p>
LINK %RepDir%\Primary Groups in Use.txt

<h2>6 User accounts</h2>
<p>A number of reports list various types of user accounts that should be reviewed periodically.</p>

<p><strong>OldUsers-LLTS.htm</strong> and <strong>OldUsers-PWD.htm</strong> contain users that seem to be inactive. The LLTS report queries for users who have not looged on in the past 90 days. The PWD report queries for users who have not changed their passwords for 90 days. Both HTML reports can be opened and processed easily with Excel.</p>

LINK %RepDir%\OldUsers-LLTS.htm
LINK %RepDir%\OldUsers-PWD.htm

<p><strong>User Statistics.txt</strong> lists the number of accounts with potentially sensitive properties, such as disabled accounts.</p>
LINK %RepDir%\User Statistics.txt

<p><strong>Users TokenGroup Count.txt</strong> lists each user's number of tokenGroups, i.e. the number of groups that the account is a direct or indirect member of.</p>
LINK %RepDir%\Users TokenGroup Count.txt

<p><strong>Users with No Password Required.txt</strong> contains users who do not need a password, even if the domain password policy does not allow blank passwords. Normally, no custom user account should have this flag active. If there is a larger number of objects here this is mostly due to scripts or automation technology that do not work properly. </p>
LINK %RepDir%\Users with No Password Required.txt

<p><strong>ExtensionAttributes.txt</strong> contains all objects with values in one of the 15 Exchange extension attributes.</p>
LINK %RepDir%\ExtensionAttributes.txt

<p>Three reports deal with userPrincipalNames: <strong>No-UPN.txt</strong> identifies users without a UPN. <strong>Non-Standard-UPN.txt</strong> lists users whose UPN uses a suffix different from the domain name. <strong>MailAndUPN.txt</strong> lists all users with their UPN and primary mail address (attribute "mail") so you can compare both values.</p>
LINK %RepDir%\No-UPN.txt
LINK %RepDir%\Non-Standard-UPN.txt
LINK %RepDir%\MailAndUPN.txt

<h2>7 Computer accounts</h2>
<p>Similar to the user reports there are a number of reports on computer accounts.</p>

<p>The <strong>OldComputers</strong> and <strong>OldServers</strong> reports list computer objects that seem to be inactive. LLTS queries for computers that have not looged on in the last 90 days, and PWD queries for computers that have not changed their machine passwords in the last 90 days. All these HTML reports can be opened and processed easily with Excel.</p>
LINK %RepDir%\OldComputers-LLTS.htm
LINK %RepDir%\OldComputers-PWD.htm
LINK %RepDir%\OldServers-LLTS.htm
LINK %RepDir%\OldServers-PWD.htm

<h2>8 AD Schema</h2>
<p>Four reports give an overview of AD schema extensions.</p>

<p><strong>Schema-Changes-Count.txt</strong> lists all dates when the schema was extended together with the number of objects added.</p>
LINK %RepDir%\Schema-Changes-Count.txt

<p><strong>UnknownSchemaObjects.txt</strong> contains a list of schema objects (object classes and attribute classes) that are not contained in Angelo's template file. Those may be custom extensions or extensions not made by versions of AD, Exchange, or Lync that are current at the time of Angelo's creation.</p>
LINK %RepDir%\UnknownSchemaObjects.txt

<p><strong>LocalSchemaObjects.txt</strong> contains a list of all schema objects (object classes and attribute classes) in the examined AD schema.</p>
LINK %RepDir%\LocalSchemaObjects.txt

<p><strong>LocalSchemaProducts.txt</strong> contains a list of all products that have extended the AD schema.</p>
LINK %RepDir%\LocalSchemaProducts.txt

<hr>
<p>Created using Angelo by <a href="http://www.faq-o-matic.net">faq-o-matic.net</a>.</p>
</body>
</html>