This is only a sample. All links are non-functional!


Angelo: Overview of AD configuration reports

Environment: SampleDomain

Report timestamp: 20150202-141109

Report folder: C:\Users\Nils\Angelo\Reports\Report-SampleDomain-20150202-141109

1 General configuration and object data

General information on the configuration of Active Directory and object data can be found in the José reports. The following link opens José's report folder. The latest document versions contain the most recent report data.

AD replication is based on the AD site and subnet concept. View the latest Borg report for an overview of the site definition.

Each Domain Controller's configuration data is stored as a Cindy report. The following link opens the respective folder.

The CSV file DCData.txt lists basic OS and network configurations for all Domain Controllers.

The file ObjectCount.txt lists the number of objects of various types.

DomainControllers.txt lists detailed logical data for each DC.

DomainControllers-NotGC.txt contains a list of all DCs that are not configured as Global Catalog (GC) servers. As a best practice, each DC should be a GC server as well - this should be true when the list is empty.

A very detailed set of reports about group objects is stored in the subfolder GroupReport. The following link opens this folder.

2 Configuration health

Three reports give an overview of general configuration health.

DCDiag.txt lists the results of an all-DC DCDiag analysis. Search for "fail" (or, in German reports, search for "nicht") to quickly view any pecularities.

Two DNSLint reports list details on the DNS integration for AD.

3 Group Policy configuration

Group Policy Objects are stored in multiple locations. See the latest José report on Group Policy for GPO metadata and for GPO linkage information.

Group Policy settings are stored inside the Group Policy Objects. See the GPMC report on Group policy. Note that this report is only available if either the GPMC scripts or the GPMC PowerShell command have successfully run. These special reports work best in Internet Explorer.

4 Highly privileged objects

There is a number of highly privileged objects in each AD environment. Angelo reports some defaults.

See the latest José report on Builtin groups and Users groups.

The following reports contain detailed information on privileged objects.

Admincount.txt lists all objects with the adminCount attribute enabled. Those objects are (or have been) members of some protected groups.

Admincount-Groups.txt lists only the groups with the adminCount attribute enabled.

5 Primary Groups

Primary Groups are a mechanism for users to be member of groups that is completely separate from usual group membership. As the Primary Group mechanism was only designed for POSIX and Macintosh (pre-OS X) compatibility it should not be used in most environments. A user's Primary Group will not be displayed by simple group membership evaluation so it can easily be overlooked.

By default all users have a Primary Group of "Domain Users". As a rule, in most networks not a single user should have a different Primary Group.

The report Users-PrimaryGroupIDNot513.txt lists all users with a non-default Primary Group, i.e. users whose primaryGroupID is different from 513 (Domain Users).

PrimaryGroupIDsInUse-Unique.txt lists all primaryGroupID values that are in use (except for 513), and PrimaryGroupsInUse-Names.txt translates the group IDs to their respective names (in CSV format).

6 User accounts

A number of reports list various types of user accounts that should be reviewed periodically.

OldUsers-LLTS.htm and OldUsers-PWD.htm contain users that seem to be inactive. The LLTS report queries for users who have not looged on in the past 90 days. The PWD report queries for users who have not changed their passwords for 90 days. Both HTML reports can be opened and processed easily with Excel.

users_accexpired.txt contains users whose password has expired.

users_disabled.txt contains disabled user accounts.

users_noexpire.txt contains users whose passwords do not expire.

users_pwdnotreqd.txt contains users who do not need a password, even if the domain password policy does not allow blank passwords. Normally, no custom user account should have this flag active. If there is a larger number of objects here this is mostly due to scripts or automation technology that do not work properly.

7 Computer accounts

Similar to the user reports there are a number of reports on computer accounts.

The OldComputers and OldServers reports list computer objects that seem to be inactive. LLTS queries for computers that have not looged on in the last 90 days, and PWD queries for computers that have not changed their machine passwords in the last 90 days. All these HTML reports can be opened and processed easily with Excel.

computers_ative.txt contains computers that are considered active.

computers_disabled.txt contains disabled user accounts.

computers_inactive.txt contains computers that are considered inactive.

computers_pwdnotreqd.txt contains computers who do not need a password, even if the domain password policy does not allow blank passwords. Normally, no custom user account should have this flag active. If there is a larger number of objects here this is mostly due to scripts or automation technology that do not work properly.

8 AD Schema

Three reports give an overview of AD schema extensions.

Schema-Changes-Count.txt lists all dates when the schema was extended together with the number of objects added.

UnknownSchemaObjects.txt contains a list of schema objects (object classes and attribute classes) that are not contained in Angelo's template file. Those may be custom extensions or extensions not made by versions of AD, Exchange, or Lync that are current at the time of Angelo's creation.

LocalSchemaObjects.txt contains a list of all schema objects (object classes and attribute classes) in the examined AD schema.


Created using Angelo by faq-o-matic.net.