How to Perform a Basic Active Directory Audit

Hello,

In today’s short post, which is part 1 of our posts on How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT administrators, IT managers, IT consultants as well as IT and Cyber Security auditors worldwide can easily perform a basic Active Directory Audit using the free version of our unique, trustworthy, professional-grade free Active Directory Audit Tool.

 

 

Basic Active Directory Audit  vs  Advanced Active Directory Audit

A Basic Active Directory Audit is one that includes an audit of all basic aspects of Active Directory security, such as obtaining an overview and details of Active Directory content, including basic details about Active Directory domain user accounts (e.g. how many in total, as well as their state e.g. active accounts, inactive accounts, stale accounts, expired accounts, etc.), domain computer accounts (e.g. how many in total, security settings, operating system/role e.g. domain controllers, workstations, servers, trusted for unconstrained delegation etc.), domain security groups (type, empty etc.), Organizational Units (OUs), GPOs, service connection points etc.

In contrast, an Advanced Active Directory Audit, a topic that we will cover in days to come, covers advanced Active Directory Security topics, such as accurately identifying all privileged users in Active Directory, correctly identifying who can run Mimikatz DCSync against an Active Directory domain, accurately identifying who has what administrative access (both delegated and unrestricted) domain-wide in Active Directory, correctly auditing all administrative delegations in Active Directory, accurately identifying effective permissions/access on all sensitive Active Directory objects etc.

For example, a basic Active Directory audit may include a list of all domain user accounts as well as their account states, whereas an advanced Active Directory audit would additionally accurately identify exactly who can manage these domain user accounts (e.g. who can reset their passwords, delete them, change access control on them, etc.) Similarly, while a basic Active Directory audit may involve identifying privileged users in Active Directory based on the value of the admincount attribute on domain user accounts (which is not the right way to do so), an advanced Active Directory audit would involve identifying privileged users in Active Directory based on an accurate domain-wide determination of who can actually enact what privileged tasks in Active Directory (which is the right way to do so.)

Today everyone can instantly perform a basic Active Directory audit for free with our free tool. Additionally, with our paid tools everyone can also instantly perform advanced Active Directory audits.

 

 

How to Easily Perform an Active Directory Audit

Here’s a quick video that shows just how easy it is to perform Active Directory Audits with our basic free Active Directory Audit Tool –

 

 

In addition to being able to perform domain-wide audits, with our tooling IT personnel can also target specific OUs, use custom LDAP filters, as well as control the scope and the depth of an audit.

 

 


Sample Active Directory Audit Reports

Here are just a few of over 100 helpful fully customizable (via LDAP filters) Active Directory audit reports that IT personnel can instantly generate using our free Active Directory Audit Tool –

  1. List of all domain user accounts in an Active Directory domain, including all active, inactive (stale), expired, new and unused Active Directory domain user accounts
  2. List of all administrative user accounts in an Active Directory domain (based on admincount attribute)
  3. List of all domain user accounts that have logged in the last 24 hours, 1 week, 1 month, 3 months, 1 year (based on True Last Logon reporting)
  4. List of all domain user accounts that have not logged in the last 24 hours, 1 week, 1 month, 3 months, 1 year (based on True Last Logon reporting)
  5. List of all domain user accounts that are currently disabled and/or locked
  6. List of all domain user accounts that have failed a logon attempt in the last 24 hours
  7. List of all domain user accounts that do not have an expiration date
  8. List of all domain user accounts that do not require passwords to logon
  9. List of all domain user accounts that require Smartcards for interactive logon
  10. List of all domain computer accounts (including their type, operating system, manager etc.)
  11. List of all domain controllers in an Active Directory domain
  12. List of all domain computer accounts that are trusted for unconstrained delegation
  13. List of all stale domain computer accounts (based on True Last Logon reporting)
  14. List of all domain computer accounts that are members of default privileged/administrative security groups (based on admincount)
  15. List of all domain security groups, including their type i.e. builtin, domain-local and universal
  16. List of all organizational units in an Active Directory domain (and optionally, also their contents)
  17. List of all service connection points in an Active Directory domain, including their keywords, vendor and other information
  18. List of all containers, GPOs, print-queues, contacts, mailboxes etc. in an Active Directory domain
  19. List of all sites, subnets, trust relationships, Schema classes and attributes in an Active Directory forest etc.
  20. A custom list based on specific parameters that can be customized using custom LDAP filter of  your choice

 

Each one of these reports can be instantly generated using our free tool. Our free basic Active Directory Audit Tool includes 100 built-in, fully customizable (via LDAP filters) Active Directory audit reports. It does not require any administrative access or any knowledge of Active Directory to use. It can be download and installed on any domain-joined machine in under 2 minutes.

 

Tool Download Point + Additional Info

You can download our free Active Directory audit tool from here.   For more info on advanced Active Directory audits, you can download our 100+ slide-deck on Active Directory Security.

In days to come, we will all cover how to perform specific basic as well as advanced Active Directory audits.

Thank you.

Best wishes,
PD Staff