Active Directory User Reports

    User Reports offer comprehensive visibility into Active Directory (AD) user attributes, account statuses, individual logon activities, and their terminal service attributes.

    In this document, you will learn how to do the following:

    • Generate reports from multiple domains.
    • Apply filters for targeted results.
    • Refine results to include or exclude specific accounts or permissions.
    • View terminal service access details.

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > General Reports.

    The following reports are available in this category:

    All Users

    This report provides the details of all the users of the selected domain(s). For the domains to be listed here, you should have added all the domains in the Directory/Application Settings page.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute objectClass set to user (i.e., objectClass=user).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Users With Empty Attributes

    This report enables administrators to find the list of users who do not have any value specified for a particular attribute. Apart from the critical attributes, this report will also check the users' custom attributes and fetch those users whose custom attributes are empty.

    How it works

    The report is generated by querying the LDAP server for all users with the attributes (!physicalDeliveryOfficeName=*)(!telephoneNumber=*)(!streetAddress=*)(!l=*)(!postalCode=*)(!homePhone=*)). Apart from this, ADManager Plus can also choose other attributes.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the attributes whose values need to be checked under Empty Attribute List.
    3. Choose if all or any of the selected attributes need to be matched under Matching Criteria.
    4. Click Generate.

    Back to Top

    Users With Duplicate Attributes

    This report provides the details of all users in a domain that have duplicate attributes. This report is available under User Reports > General.

    How it works

    The report is generated by querying the LDAP server for all users with duplicate attributes specified.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the attributes whose values need to be checked for duplicates.
    3. Click Generate.

    Back to Top

    Users Without Managers

    This report enables the administrators to find the list of users who do not have any managers assigned to them.

    How it works:

    The report is generated by querying the LDAP server for all users with the attribute (!manager=*).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Manager Based Users

    This report provides the list of users who directly report to the selected manager.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (manager=CN=Administrator,CN=Users,DC=sample,DC=testdomain,DC=com).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select a manager from the listed users in the Select Manager popup.
    3. Click Generate.

    Back to Top

    All Managers

    This report provides a list of all users in the domain who have direct reports.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectcategory=person)(objectClass=user)(!(sAMAccountType=805306370))(directReports=*)).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Users in More Than One Group

    This report provides the details of the users belonging to more than one group. The Member Of column in the report displays the groups to which the user belongs.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(memberOf=*)).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Recently Deleted Users

    This report provides the list of user accounts that have been deleted recently. By default, AD maintains the deleted objects list for a period of 60 days, which can be extended to up to 120 days. The deleted user accounts shown in the report pertain to the maximum period set in AD.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute isDeleted.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Recently Created Users

    This report provides the details of recently created user accounts.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute whenCreated.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Recently Modified Users

    This report provides the details of the user accounts modified recently.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute whenChanged.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Photo Based Reports

    This report helps you identify all AD users with or without a photo.

    How it works

    This report is generated by querying the LDAP server for the attributes thumbnailPhoto, thumbnailLogo, jpegPhoto, and photo. If the selected option is Users with Photo, the report retrieves all users with these attributes configured. If the selected option is Users without Photo, the report retrieves all users without these attributes.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Choose the desired report under User.
    3. Click Generate.

    Back to Top

    Dial-in Allow Access

    This report helps visualize the users who have access to dial-in.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE)).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Dial-in Deny Access

    This report helps visualize the users who don't have access to dial-in.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(|(msNPAllowDialin=FALSE)(!(msNPAllowDialin=*)))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Users With Logon Script

    Logon scripts are those which run automatically when a user's machine is turned on. This report generates the list of users who have been furnished with logon scripts.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(scriptPath=*)).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Users Without Logon Script

    Logon scripts are those which run automatically when a user's machine is turned on. This report generates the list of users who do not have logon scripts.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(scriptPath=*))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Lync/Skype Enabled Users

    This report fetches all the users for whom Skype for Business or Lync Server communication is enabled.

    How it works

    ADManager Plus checks the msRTCSIP-UserEnabled attribute of users and displays all the users for whom this attribute is set as True.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Lync/Skype Disabled Users

    This report fetches all the user accounts for whom the Skype for Business or Lync Server communication is disabled.

    How it works

    ADManager Plus checks the 'msRTCSIP-UserEnabled' attribute of users and displays all the users for whom this attribute is set as False.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > Account Status Reports.

    The following reports are available in this category:

    Disabled Users

    User accounts can be disabled as a security measure to prevent a particular user from logging on, rather than deleting the user account. This report provides the details of the user accounts that are disabled and is auto-generated every day at 6am.

    How it works:

    The report is generated by querying the LDAP server for all users with the attribute (userAccountControl = ADS_UF_ACCOUNTDISABLE).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Locked-Out Users

    A user account gets locked out on frequent bad login attempts. The Account Lock Out Policy specifies the number of bad login attempts after which the account will be locked. This report provides the details of the user accounts that have been locked out and is auto-generated at 6am every day.

    How it works

    The report is generated by querying the LDAP server for all users with attribute lockoutTime.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Account Expired Users

    This report provides the details of the user accounts that have expired.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (!(accountExpires=0))(!(accountExpires=never))(accountExpires<=currentTime).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Recently Account Expired Users

    This report provides the details of the user accounts that have expired within the specified number of days.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (!(accountExpires=0))(!(accountExpires=never))(accountExpires>=SpecifiedTime)(accountExpires <=CurrentTime).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Soon-To-Expire User Accounts

    This report provides the details of the user accounts that will expire within the specified number of days.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (!(accountExpires=0))(!(accountExpires=never))(!(accountExpires<=CurrentTime))(accountExpires<=SpecifiedTime).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Account Never Expires Users

    This report provides the details of the user accounts which will never expire.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(|(accountExpires=0)(accountExpires=9223372036854775807))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Smart Card Enabled Users

    This report provides the details of all users in the domain enabled with smart card login permissions.

    How it works

    The report is generated by querying the LDAP server for users with their account properties set to smart enabled for login.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > Logon Reports.

    The following reports are available in this category:

    Inactive Users

    This report provides details of the users who have not logged on for the past n days. Inactive users are determined based on their last logon time. All the configured DCs are scanned for the last logon time to ensure accuracy. However, if any of the DCs could not be contacted during report generation, the data may be incomplete. This report is auto-generated every day at 6am.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectClass=user)(objectCategory=person)(!(sAMAccountType=805306370))(|(!lastlogon=*)(lastlogon<=%s))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.
    Note: Users logged on through VPN and users who have not logged out for the specified period will be shown as inactive.

    Back to Top

    Recently Logged on Users

    This report provides the details of the users who have logged on in the past n days. The recently logged on users are determined based on their last logon time. All the configured domain controllers are scanned for the last logon time to ensure accuracy. However, if any of the DCs could not be contacted while report generation, the data may be incomplete.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(lastLogon>=%s)).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the desired period from the options provided or enter a custom range in Select the desired time period.
    3. Click Generate.

    Back to Top

    Logon Hour Based Report

    This report helps determine users who are permitted or restricted from logging in at the specified time for the specified days. For example, you can find the list of users who have login permissions on all days from 9am–5pm.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute logonHours for the specified time.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Select the dates, start and end time from the options provided in the Select Date drop-down.
    3. Choose to generate reports for logon permitted or denied hours using Reports For.
    4. Click Generate.

    Back to Top

    Users Never Logged On

    This report provides the list of users who have not logged on to the domain. All the configured domain controllers are scanned to get the details.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(|(!lastlogon=*)(lastlogon=0))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Enabled Users

    This report generates a list of all the enabled user accounts in the desired domain.

    How it works

    The report is generated by querying the LDAP server for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))).

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Back to Top

    Real Last Logon Report

    This report provides the details of the latest last logon time of all users in a domain.

    How it works

    The report is generated by querying all the domain controllers in the domain, i.e., DCs configured in the Directory/Application Settings tab of ADManager Plus, for the users' last logon time and logon count.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. Click Advanced Filter to select specific AD objects.
    2. Click Generate.

    Back to Top

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > Nested Reports.

    The following reports are available in this category:

    Users in Groups

    This report provides the details of the users within a selected group.

    How it works

    The report is generated by querying all users and verifying if the memberOf value is the same as the specified group.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the groups under Groups to list the members within it. Check Exclude Nested Groups to avoid listing users within a nested group.
    3. Click Generate.
    Note: Generated results can be filtered to display the groups that the users are a part of besides the selected groups.

    Back to Top

    Groups for Users

    This report lists all the groups the specified user belongs to, as well as all other groups that include the user's group as a member.

    How it works

    The report is generated by querying the LDAP server for all groups and checking whether the specified user is a member.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the user under Users to list the groups. Check Exclude Nested Groups to avoid listing nested groups.
    3. Click Generate.
    Note: Filter this report's results using the members and member of view filters in the View Type drop-down.

    Back to Top

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > CSV Import.

    Generating Active Directory Report via CSV Import

    Using this report you can fetch all the details of the desired users , groups and computer objects from Active Directory. While the regular Active Directory reports fetch the objects that meet a specific criteria (e.g., inactive, locked out, recently modified), this all-in-one report fetches every single detail of those objects that you specify.

    To generate this report, list the attributes of the AD objects whose details you wish to fetch in a CSV file and import it into ADManager Plus. The tool will then fetch and display all the details of the objects mentioned in the CSV file. You can also customize the report to view only the desired details and fields.

    Steps to generate this report

    1. Click the Reports tab.
    2. Navigate to User Reports > CSV Import > Report from CSV.
    3. In the Report from CSV page, select the domain in which the desired objects are located.
    4. Click Browse to select the CSV file. The tool will automatically fetch the details of the relevant objects based on the attributes mentioned in the CSV file. See a sample CSV file here.
      Note:
      • The name of the file that you select will be displayed as a link beside the Browse button. Click this link (CSV file name) if you wish to view the data that has been imported from the selected file.
      • If there is any error in the CSV file, ADManager Plus will display an appropriate error message.
    5. If you wish to refine the selection of objects further, click the Criteria link that is displayed beside the CSV file name. The criteria window will now open.
    6. For each object type (users, groups, computers), select the criteria based on which you wish to locate the desired objects in the Active Directory. For example, if you wish to fetch the details of all the users in a specific department:
      • Click the Users tab in the criteria window.
      • Select the Fetch details of user objects check box
      • Click Equals, select the department check box and close the window.
    7. Click Generate.
    8. This report displays a specific set of attributes by default, for clarity and better readability. If you wish to view more attributes or fields:
      • Click the Edit icon modify_template located at the right end of the report's header line.
      • In the Customize Attributes window, under Available Attribute, select the desired attributes from the list of attributes.
      • If the attributes or fields that you wish to view are not available in the Available Attributes list, click the More Columns link located at the bottom-right corner of the Customize Attributes window.
      • Select the desired attributes from the attributes displayed. If you wish to fetch a custom attribute, click Select Custom Attributes and select the desired attributes.
      • After selecting the desired attributes, click the Save button. You will now see a dialog box which will ask you to confirm whether you wish to regenerate the report.
        Note: To fetch the attributes or fields that are not available under the default set of attributes in Available Attributes, the report will have to be regenerated.
      • Click OK to regenerate the report.

    Sample CSV

    (To fetch the managers of individual departments)

    displayName,sAMAccountName,department,cn,manager

    John,john.sam,HR,John,"CN=Admin,DC=HROU,DC=admp,DC=com "

    David,david.sam,Finance,David,"CN=FinanceAdmin,DC=FINOU,DC=admp,DC=com "

    George,george.simon,Sales,George,"CN=SalesAdmin,DC=SALESOU,DC=admp,DC=com "

    Cathy,cathy.freeman,Marketing,Cathy,"CN=MarketingAdmin,DC=MKTGOU,DC=admp,DC=com "

    Mark,mark.edwin,Procurement,Mark,"CN=PurchaseAdmin,DC=PRODOU,DC=admp,DC=com "

    Andrew,andrew.plunkett,Information Technology,Andrew,"CN=ITAdmin,DC=ITOU,DC=admp,DC=com "

    Terminal Service Reports

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > Terminal Service Reports.

    The following reports are available in this category:

    Users' Terminal Services Properties

    This report provides the list of all users in a domain with their respective Terminal Services properties.

    How it works

    The report is generated by querying (LDAP) the domain for users and their associated Terminal Services properties.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Users with Terminal Server Access

    This report provides the list of users in a domain that have Terminal Server access.

    How it works

    The report is generated by querying the domain for users with the allow logon to terminal server access attribute enabled.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    To generate these reports in ADManager Plus, navigate to Reports > User Reports > Terminal Service Reports.

    The following reports are available in this category:

    1. Users' Terminal Services Properties
    2. Users with Terminal Server Access

    Users' Terminal Services Properties

    This report provides the list of all users in a domain with their respective Terminal Services properties.

    How it works

    The report is generated by querying (LDAP) the domain for users and their associated Terminal Services properties.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Users with Terminal Server Access

    This report provides the list of users in a domain that have Terminal Server access.

    How it works

    The report is generated by querying the domain for users with the allow logon to terminal server access attribute enabled.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can select a specific OU in each domain to view users in it.
    2. Click Generate.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try OnboardPro

       
    Copyright © © 2025, ZOHO Corporation.All Rights Reserved.