Active Directory User Reports


All Users

Provides the details of all the users of the selected domain(s). For the domains to be listed here, you should have added all the domains from the Domain Settings page.

How it works : The report is generated by querying the LDAP for all users with the attribute 'objectClass' set to 'user' i.e. 'objectClass=user'

To view the report, select the domian(s) and click Generate. You can select a specific OU in each domain to view users in it.

Users with Empty Attributes

This reports enables the administrators to find the list of users who do not have any value specified for a particular attribute. Apart from the critical attributes, this report will also check the users' custom attribtues and fetch those users whose custom attributes are empty.

How it works : The report is generated by querying the LDAP for all users with the attributes "(!physicalDeliveryOfficeName=*)(!telephoneNumber=*)(!streetAddress=*)(!l=*)(!postalCode=*)(!homePhone=*))". Apart from this ADMP can also choose other attributes.

To view the report, select the domain(s), attribute, and click Generate.

Users with Duplicate Attributes

Provides the details of all users in a domain, having duplicate attributes. This report is available under the General category of User Reports.

How it works : The report is generated by querying the LDAP for all users with duplicate attributes specified.

To view the report, select the Domain, Attribute (By clicking on) and click Generate.

Users without Managers

This report enables the administrators to find the list of users who do not have any managers assigned to them.

How it works : The report is generated by querying the LDAP for all users with the attribute "(!manager=*)"

To view the report, select the domain (s) and click Generate.

Manager based Users

Provides the list of users that directly report to the user (Manager). The users listed as report are those that have the manager property set to this user.

How it works : The report is generated by querying the LDAP for all users with the attribute" (manager=CN=Administrator,CN=Users,DC=sample,DC=testdomain,DC=com)

To view the report, select the Domain, Manager, and click Generate.

All Managers

Provides the list of Manager users in the domain.

To view the Report, click AD Reports tab - -> All Managers --> Select the domain and then click Generate

Users in more than one Group

Provides the details of the users belonging to more than one group. The Member Of column in the reports provides the group names where the user is a member.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(memberOf=*))"

To view the report, select the domain (s) and click Generate.

Users in more than one Group

Provides the details of the users belonging to more than one group. The Member Of column in the reports provides the group names where the user is a member.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(memberOf=*))"

To view the report, select the domain (s) and click Generate.

Recently Deleted Users

Provides the list of user accounts that have been deleted recently. By default, AD maintains the deleted list for a period of 60 days, which can be extended to a max. of 120 days. The deleted user accounts shown in the report pertains to the max. period set in the AD.

How it works : The report is generated by querying the LDAP for all users with the attribute "(!(objectClass=contact))(isDeleted=TRUE)"

To view the report, select the domains, specify the desired time period using the options provided (today, yesterday, on a specific date, before a specific date, after a specific date, last N days, this week, this month, any custom period, etc.), and click Generate.

Recently Created Users

Provides the details of the user accounts created recently. This is determined based on the value contained in the whenCreated attribute.

How it works : The report is generated by querying the LDAP for all users with the attribute whenCreated.

To view the report, select the domain (s), specify the desired time period using the options provided (today, yesterday, on a specific date, before a specific date, after a specific date, last N days, this week, this month, any custom period, etc.), and click Generate.

Recently Modified Users

Provides the details of the user accounts modified recently. This is determined based on the value contained in the ModifyTimeStamp attribute

How it works : The report is generated by querying the LDAP for all users with the attribute "(modifyTimeStamp>=20061221120200.0Z)"

To view the report, select the domain (s), specify the desired time period using the options provided (today, yesterday, on a specific date, before a specific date, after a specific date, last N days, this week, this month, any custom period, etc.), and click Generate.

Photo Based Reports

This report helps you identify all the AD users for whom a profile picture has been uploaded or the ones who don't have a profile picture.

How it works : For 'Users with Photo' option, this report queries the LDAP for all the users who have the attribute 'thumbnailPhoto' configured. If the 'Users without Photo' option is selected, this report fetches all the users for whom the LDAP attribute 'thumbnailPhoto' is not configured.

To generate this report, click the AD Reports tab. Click the 'User Reports' link in the left pane. Under 'General Reports', click the 'Photo Based Reports' link. Select the required domains and the corresponding OUs, select the required option (Users with Photo/Users without Photo) and click the Generate button.

Dial-in Allow Access

This report generates the list of users who have access to Dial-in.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

To view the report, select the domain (s) and click Generate.

Dial-in Deny Access

This report generates the list of users who don't have access to dial-in.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(|(msNPAllowDialin=FALSE)(!(msNPAllowDialin=*))))"

To view the report, select the domain(s) and click Generate.

Users with logon script

Logon scripts are those which run automatically when machine is turned on. This report generates the list of users who have been furnished with logon scripts.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(scriptPath=*))"

To view the report, select the domain (s) and click Generate.

Users without logon script

Logon scripts are those which run automatically when users machine is turned on. This report generates the list of users who do not have logon scripts.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(!(scriptPath=*)))"

To view the report, select the domain (s) and click Generate.

Lync Enabled Users

This report fetches all the users who have the Skype for Business or Lync Server communication enabled for them.

How it works : ADManager Plus checks the 'msRTCSIP-UserEnabled' attribute of users and displays all the users for this attribute is set as True.

To view the report, select the Skype for Business/Lync Enabled Users report from the list of General Reports in the User Reports section, select the required domains and OUs and click on Generate.

Lync Disabled Users

This report fetches all the user accounts for whom the Skype for Business / Lync Server communication is disabled.

How it works : ADManager Plus checks the 'msRTCSIP-UserEnabled' attribute of users and displays all the users for whom this attribute is set as False.

To view the report, select the Skype for Business/Lync Disabled Users report from the list of General Reports in the User Reports section, select the required domains and OUs and click on Generate.

Disabled Users

Provides the details of the user accounts that are disabled. User accounts can be disabled as a security measure to prevent a particular user from logging on, rather than deleting the user account.

How it works : The report is generated by querying the LDAP for all users with the attribute "(userAccountControl = ADS_UF_ACCOUNTDISABLE)"

This report is auto-generated everyday at 6.00 AM. To view the disabled user accounts of a different domain, select the domain (s) and click Generate.

Locked Out Users

Provides the details of the user accounts that have been locked out. The user account will get locked on frequent bad login attempts. The Account Lock Out Policy specifies the allowed number of bad login attempts after which the account will be locked. The account will be automatically unlocked after sometime.

How it works : The report is generated by querying the LDAP for all users with attribute "lockoutTime".

This report is auto-generated everyday at 6.00 AM. To view the locked user accounts of a different domain, select the domain(s) and click Generate.

Account Expired Users

Provides the details of the user accounts that have expired. The report is generated for the default domain.

How it works : The report is generated by querying the LDAP for all users with the attribute "(!(accountExpires=0))(!(accountExpires=never))(accountExpires<=currentTime)"

To view the expired user accounts of a different domain, select the domain (s) and click Generate.

Recently Account Expired Users

Provides the details of the user accounts whose account has expired in the specified number of days.

How it works : The report is generated by querying the LDAP for all users with the attribute "(!(accountExpires=0))(!(accountExpires=never))(accountExpires>=SpecifiedTime)(accountExpires<=CurrentTime)"

To view the report, select the desired domains; if you know the exact OUs, select them by clicking the Add OUs link. Specify the desired time period using the options provided (today, yesterday, on a specific date, before a specific date, after a specific date, last N days, this week, this month, any custom period, etc.), and click Generate.

Soon-to-expire User Accounts

Provides the details of the user accounts that will expire within the specified number of days.

How it works : The report is generated by querying the LDAP for all users with the attribute "(!(accountExpires=0))(!(accountExpires=never))(!(accountExpires<=CurrentTime))(accountExpires<=SpecifiedTime)"

To view the report, select the domain (s), specify the desired time period using the options provided (today, tomorrow, on a specific date, before a specific date, after a specific date, this week, this month, next month, next N days, any custom period, etc.), and click Generate.

Account never expire users

Provides the details of the user accounts which will never expire.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=never)))"

To view the report, select the domain (s), specify the number of days, and click Generate.

Smart Card Enabled Users Report

Provides the details of all users in the domain enabled with smart card login permissions.

How it works : The report is generated by querying the LDAP for users with their account properties set to 'smart enabled for login'.

To view the report, select the Domain, OUs (By clicking on ) and click Generate.

Inactive Users

Provides details of the users who have not logged on for the past 'n' days. The inactive users are determined based on their last logon time. All the configured domain controllers are scanned for the last logon time to ensure accuracy. However, if any of the DC's could not be contacted while report generation, the data may be incomplete.

How it works : The report is generated by querying the LDAP for all users with the attribute (&(objectClass=user)(objectCategory=person)(!(sAMAccountType=805306370))(&(|(!lastlogon=*)(lastlogon<=%s))(|(!lastlogontimestamp=*)(lastlogontimestamp<=%s))))

This report is auto-generated everyday at 6.00 AM. To view the details for a different period, specify the desired time period using the options provided (today, before a specific date, last N days, last month, this month, any custom period, etc.), and click Generate.

Note : Users logged on through VPN and users who have not logged out for the specified period will be shown as inactive.

Recently Logged on Users

Provides the details of the users who have logged on in the past 'n' days. The recently logged on users are determined based on their last logon time. All the configured domain controllers are scanned for the last logon time to ensure accuracy. However, if any of the DC's could not be contacted while report generation, the data may be incomplete.

How it works : The report is generated by querying the LDAP for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(|(lastLogon>=%s)(&(lastlogontimestamp=*)(lastlogontimestamp>=%s))))

To view the report, select the domain (s), specify the desired time period using the options provided (today, after a specific date, last N days, last 7/30/60 dasys, this week, etc.), and click Generate.

Logon Hour Based Report

Enables to determine the users who have/do not have permission to login on the specified time for the specified days. For example, you can find the list of users who have login permissions on all days from 9.00 to 17.00 hrs

How it works : The report is generated by querying the LDAP for all users with the attribute "logonHours" for specified time.

To view the report, specify the following parameters and click Generate:

  • Select the domain(s)
  • Select the days
  • Specify the start and end time
  • Specify whether you require the permitted users list or denied users list for the above period

Users Never Logged On

Provides the list of users who have not logged on to the domain. All the configured domain controllers are scanned to get the details.

How it works : The report is generated by querying the LDAP for all users with the attribute (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(&(|(!lastlogon=*)(lastlogon=0))(|(!lastlogontimestamp=*)(lastlogontimestamp=0))))

To view the report, select the domain (s) and click Generate.

Enabled users

This report generates the list of all the enabled user accounts in desired domain, to see the results for a specific Organizational Unit click ADD OU's.

How it works : The report is generated by querying the LDAP for all users with the attribute "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

To view the report select a domain and click Generate .

Real Last Logon Report

Provides the details of the latest last logon time of all users in a domain.<

How it works : The report is generated by querying all the Domain controllers in the domain, i.e. DCs configured under domain settings of ADManager plus, for the users' last logon time and logon count.

To view the report,

  • Click on Real Last Logon link under AD Reports.
  • Select the domain.
  • Click the Advanced Filter link to obtain more options.
  • Click on the Generate button.

Users in Groups

Provides the details of the users of selected group

How it works : The report is generated by querying all users and checking whether 'memberOf' value is same as specified Group.

To view the report, select the domain and the groups and click Generate.

Groups for Users

Provides the details users in the nested groups, i.e., groups that contain other groups as its members in the domain. This will list the group that the specified user is a member and all the other groups where the users' group is a member.

How it works : The report is generated by querying the LDAP for all groups and checking whether member is specified user.

To view the report, select the Domain, Users (By clicking on select) and click Generate.

Users not in a Group

Provides the details of the users who are not members of a specified group.

How it works : The report is generated by querying the LDAP for all users and check 'memberOf' is specifiedGroup.

To view the report, select the domain and the group and click Generate.

Members only of Domain User Group

Provides the details of the users that are members of the Domain User Group alone.

How it works : The report is generated by querying the LDAP for all users with attributes (&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370))(primaryGroupID=513)(!(memberOf=*)))

To view the report, select the domain and click Generate.

Generating Active Directory Report via CSV Import


Using this report you can fetch all the details of the desired user accounts and computer objects from Active Directory. While the regular Active Directory reports fetch the accounts that meet a specific criteria (such as inactive, locked out, recently modified, etc.), this 'all-in-one' report fetches every single detail of those objects that you specify.

To generate this report, list the names of the accounts whose details you wish to fetch in a CSV file, and import it into ADManager Plus. The tool will then fetch and display all the details of the accounts mentioned in the CSV file. You can also customize the report to view only the desired details/fields.

Steps to generate this report

  1. Click the AD Reports tab.
  2. In User Reports, click the Report from CSV link located under CSV Import.
  3. In the Report from CSV page, select the domain in which the desired objects are located.
  4. Click the Browse button and select the CSV file which contains the names of the objects whose details you wish to ?fetch. The tool will automatically fetch the details of the relevant objects based on the attributes mentioned in the CSV file. Sample CSV file

      Note:

    • The name of the file that you select will be displayed as a link beside the 'Browse' button. Click this link (CSV file name) if you wish to view the data that has been imported from the selected file.
    • If there is any error in the CSV file, ADManager Plus will display an appropriate error message.
  5. If you wish to refine the selection of objects further, click the Criteria link that is displayed beside the CSV file name. The criteria window will now open up.
  6. For each object type (users, computers), select the criteria based on which you wish to locate the desired accounts in the Active Directory. For example, if you wish to fetch the details of all the users in a specific department,
    • Click the users tab in the criteria window
    • Select the fetch details of user objects check box
    • Click the Equals option, select the department checkbox and close the window
  7. Click the Generate button
  8. This report displays a specific set of attributes by default, for clarity and better readability. If you wish to view more attributes/fields,
    • Click the Edit icon located at the extreme right end of the report's header line
    • In the Customize Attributes window, select the desired attributes from the list of attributes under Available Attribute
    • If the attributes/fields that you wish to view are not available in Available Attributes list, click the More Columns link located at the bottom right corner of the Customize Attributes window
      Note: To fetch an attribute not present in the Available Attributes list, you will have to generate/run the report again.
    • Select the desired attributes from the attributes displayed. If you wish to fetch a custom attribute, click the Select Custom Attributes link and select the desired attributes
    • After selecting the desired attributes, click the Save button. You will now see a dialog box which will ask you to confirm whether you wish to regenerate the report.
      To fetch the attributes/fields that are not available under the default set of attributes in Available Attributes, the report will have to be regenerated.
    • Click OK to regenerate the report.

Sample CSV

(To fetch the managers of individual departments)

Go to Top Go to Top