Active Directory Cleaner User Guide 1. Active Directory Cleaner User Guide

(1)

Active Directory Cleaner

User Guide

(2)

1 Introduction

Active Directory Cleaner (ADC) is a simple tool used for maintaining your AD clean and secure. ADC enables IT organizations to extract vital data from Active Directory in seconds after installation. Armed with this information, organizations can quickly make strategic and tactical security decisions that involve their Active Directory and Windows environment.

Active Directory Cleaner retrieves and reports information efficiently from the active directory while hiding the complexities of the native Active Directory tools.

2 Benefits of Active Directory Cleaner

Active Directory Cleaner allows an administrator to accurately retrieve required information about Active Directory Infrastructure and Objects quickly and displays it in a clear and logical format. Active Directory Cleaner’s interface accurately extracts data, saving time involved in troubleshooting, controlling and managing attributes of the active directory objects such as:

Users Computers

3 Features

Search

Helps to locate a specific Active Directory Object quickly and accurately. Actions

Helps to do actions like delete, restore, move, disable, enable and reset objects in bulk. Restore

User can restore the deleted user and computers in the active directory. Add/Remove Columns

Helps to customize the displayed columns. Scope

This view generation can be limited to Organizational Units (OU) in a domain, facilitating an OU based administration.

Sort

Users can sort the columns of their interest. Export Reports

Reports can be exported to PDF, CSV and Excel formats.

4 Categories

Active Directory Cleaner’s has the following categories

Active Directory Users Active Directory Computers

(4)

5 Actions on Users Report

Once the list of users generated based on a criteria, user can perform the following actions on the user objects Enable

Disable Delete Restore Move Reset Unlock

6 Actions on Computer Reports

Once the list of computers generated based on a criteria, user can perform the following actions on the computer objects

Enable Disable Delete Restore Move

7 Report Generation

This section lists the reports available in each of the categories. And provide the filter used and PowerShell command for each of the report category.

7.1 Active Directory User Reports

7.1.1 General Reports

7.1.1.1 All Users

It provides the details of all the users in the selected scope. How it works:

The report is generated by querying the Directory Service with the filter

“(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370))”

7.1.1.2 Users With Empty Attributes

It provides the list of users whose specified attributes are empty. User can either check against all the specified attributes as empty or even one of the specified attribute.

How it works:

(5)

"(&(objectCategory=Person)(objectClass=user)(&(!attribute1=*)(!attribute2=*)))"

The above filter is used to check against all the specified attributes as empty.

"(&(objectCategory=Person)(objectClass=user)(|(!attribute1=*)(!attribute2=*)))"

The above filter is used to check even one of the specified attributes as empty.

7.1.1.3 Users without Managers

It provides the list of users who do not have any managers assigned to them. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! manager=*))"

7.1.1.4

Manager

Based Users

It provides the list of users that directly report to the selected user (Manager). The users listed in report are those who have the manager property set to this selected user.

How it works:

"(& (objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (manager=managerDN))"

7.1.1.5 Users in more than One Group

It provides the details of users who belong to more than one group. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (memberOf=*))"

7.1.1.6 Recently Created Users

It provides the details of the user accounts created recently. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (createTimeStamp>=givenTime))"

7.1.1.7 Recently Modified Users

This report generates the lists of user accounts modified recently. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (modifyTimeStamp>=givenTime))"

(6)

7.1.1.8 Dial-in Allow Access

This report generates the list of users who have access to dial-in. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (msNPAllowDialin=TRUE))"

7.1.1.9 Dial-in Deny Access

This report generates the list of users who don’t have access to dial-in. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(| (msNPAllowDialin=FALSE)(!msNPAllowDialin=*)))"

7.1.1.10 Users with Logon Script

This report generates the list of users who have logon scripts. Logon scripts are those which run automatically when the user logon.

How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (scriptPath=*))"

7.1.1.11 Users

without

Logon Script

This report generates the list of users who don’t have logon scripts. Logon scripts are those which run automatically when the user logon.

How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! scriptPath=*))"

7.1.1.12 All Deleted Users

This report generates the list of all deleted users in the domain. How it works:

"(&(objectClass=user)(!objectClass=computer)(isDeleted=TRUE))"

7.1.1.13 Recently Deleted Users

This report generates the list of all user account deleted recently in the domain. How it works:

"(&(objectClass=user)(!objectClass=computer)(isDeleted=TRUE) (whenChanged>=givenTime))"

(7)

7.1.2 Account Status Report

7.1.2.1

Disabled

Users

This report generates the list of all disabled user accounts. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (userAccountControl:1.2.840.113556.1.4.803:=2))"

7.1.2.2 Locked Out Users

This report generates the list of all user accounts that have been locked out. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (lockouttime>=1))"

7.1.2.3 Account Expired Users

This report generates the list of all user accounts that have expired. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! accountExpires=0)(!accountExpires=9223372036854775807)

(accountExpires<=currentTime))"

7.1.2.4 Recently

Account

Expired Users

This report generates the list of all user accounts that have expired in the given number of days. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!

accountExpires=0)(!accountExpires=9223372036854775807)(accountExpires<=currentTime) (accountExpires>=givenTime))"

7.1.2.5 Soon-to-

Expire

User Accounts

This report generates the list of all user accounts that will expire within the given number of days. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! accountExpires=0)(!accountExpires=9223372036854775807)(!

accountExpires<=currentTime)(accountExpires<=givenTime))"

7.1.2.6

Account

Never Expire Users

(8)

How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(| (accountExpires=0)(accountExpires=9223372036854775807)))"

12

7.1.3 Logon Reports

7.1.3.1 Inactive Users

This report generates the list of all users who have not logged on for the past 'n' days. The inactive users are determined based on their last logon time. All the domain controllers are scanned for the last logon time to ensure accuracy. If any of the DC's could not be contacted while report generation, the report generation will fail. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(|(! lastlogon=*)(lastlogon<=givenTime)))"

7.1.3.2 Recently Logged on Users

This report generates the list of all users who have logged during the past 'n' days. The recently logged on users are determined based on their last logon time. All the domain controllers are scanned for the last logon time to ensure accuracy. If any of the DC's could not be contacted while report generation, the report generation will fail. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (lastlogon>=givenTime))

7.1.3.3 Users Never Logged On

This report generates the list of all users who have not logged on to the domain. The Users never logged on are determined based on their last logon time. All the domain controllers are scanned for the last logon time to ensure accuracy. If any of the DC's could not be contacted while report generation, the report generation will fail. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(| (lastlogon=0)(!lastlogon=*)))"

7.1.3.4 Enabled Users

This report generates the list of all enabled user accounts. 13

How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!user AccountControl:1.2.840.113556.1.4.803:=2))"

PowerShell Command:

(9)

7.1.4 Password Reports

7.1.4.1 Recently Bad Logged on Users

This report generates the list of all users who tried to logon with bad password. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (badPasswordTime>=givenTime))"

7.1.4.2 Users whose Password Never Expires

This report generates the list of all users whose password never expires. How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370) (userAccountControl:1.2.840.113556.1.4.803:=65536))"

7.1.4.3 Password Expired Users

This report generates the list of all users whose passwords are expired. How it works:

"(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(!

userAccountControl:1.2.840.113556.1.4.803:=65536)(!pwdLastSet=0)(pwdLastSet<=time based on maximum password age))"

.

7.1.4.4 Soon-to-Expire User Passwords

This report generates the list of all users whose passwords will expire in ‘n’ days. How it works:

"(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(! userAccountControl:1.2.840.113556.1.4.803:=65536)(!pwdLastSet<={0})(pwdLastSet< =time based on maximum password age and the given time))"

7.1.4.5 Password Changed Users

This report generates the list of all users whose passwords are modified during the given ‘n’ days How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! pwdLastSet=0)(!pwdLastSet<=givenTime))"

(10)

7.1.4.6 Password Unchanged Users

This report generates the list of all users whose passwords are not modified during the given ‘n’ days How it works:

"(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(! pwdLastSet=0)(!pwdLastSet>=givenTime))"

7.2Active Directory Computer Reports

7.2.1 General Reports

7.2.2 All Computers

This report generates the list of all computers within the selected scope. How it works:

"(&(objectcategory=computer)(objectClass=computer))"

7.2.2.1

Workstations

This report generates the list of all workstations within the selected scope. Workstations are all computers except Servers and Domain Controllers.

How it works:

The report is generated by querying the Directory Service for all computers with “userAccountControl=ADS_UF_WORKSTATION_TRUST_ACCOUNT”. The filter is

"(&(objectCategory=computer)(objectClass=computer)(userAccountControl:1.2.840 .113556.1.4.803:=4096))"

7.2.2.2 Domain Controllers

This report generates the list of all Domain Controllers within the selected scope. How it works:

The report is generated by querying the Directory Service for all computers with “userAccountControl=ADS_UF_SERVER_TRUST_ACCOUNT”.

The filter is

7.2.2.3 OS Based

This report provides the details of the computers based on the given Operating System type. How it works:

The report is generated by querying the Directory Service for all computers with the attributes ‘operatingSystem’ and ‘operatingSystemServicePack’.

(11)

7.2.2.4 Computers

Trusted

for Delegation

This report generates the list of all computers that are trusted for delegation. How it works:

The report is generated by querying the Directory Service for all computers with “userAccountControl=ADS_UF_TRUSTED_FOR_DELEGATION”. The filter is

7.2.2.5

Recently

Modified Computers

This report generates the list of all computers that are modified recently. How it works:

"(&(objectCategory=computer)(objectClass=computer)(modifyTimeStamp>=givenTime ))"

7.2.2.6 Managed Computers

This report generates the list of all computers that are managed by any of the user. How it works:

"(&(objectcategory=computer)(objectClass=computer)(managedBy=*))"

7.2.2.7 Unmanaged Computers

This report generates the list of all computers that are not managed by any of the user. How it works:

"(&(objectcategory=computer)(objectClass=computer)(!managedBy=*))"

7.2.2.8 All Deleted Computers

This report generates the list of all deleted computers. How it works:

"(&(objectClass=computer)(isDeleted=TRUE))"

7.2.2.9 Recently Deleted Computers

This report generates the list of all computers which are deleted during the last ‘n’ days. How it works:

(12)

7.2.3 Account Status Reports

7.2.3.1 Inactive Computers

This report generates the details of the inactive computers for the given number of days. The inactive computers are determined based on their last logon time. All the domain controllers are scanned for the last logon time to ensure accuracy. If any of the DC's could not be contacted while generating report, the report generation will fail. How it works:

"(&(objectCategory=computer)(objectClass=computer)(|(!lastlogon=*)(lastlogon< =givenTime)))"

7.2.3.2 Disabled Computers

This report generates the list of all computers that are disabled. How it works:

The report is generated by querying the Directory Service for all computers with “userAccountControl= ADS_UF_ACCOUNTDISABLE”.

The filter is

Active Directory Cleaner User Guide 1. Active Directory Cleaner User Guide