Chat now with support
Chat with Support

Enterprise Reporter 3.5 - Report Manager User Guide

Quest Enterprise Reporter Report Manager Introducing the Report Manager Running and Scheduling Reports Creating and Editing Reports Troubleshooting Issues with Enterprise Reporter Appendix: PowerShell cmdlets

What are Published Reports?

Reporting administrators can publish reports that will be useful to their users. When a report is added to the Published Reports container, it is visible to all reporting users the next time they open their console. These reports are generally customized to suit your environment. You can base a published report on a report from the library, or you can create a new report and publish it. If you are a reporting administrator, you can edit reports directly in Published Reports; however, it is recommended that you copy reports to My Reports for editing.

If you are a reporting user, you can fill in the parameters, run the reports from the published reports container, and copy them to My Reports (see Copying Reports ) so they can be modified (see Editing Reports ).

For example, you may want to run different versions of the same report. By creating several copies in My Reports and saving the parameter values, you can save yourself time. Reports in this container may also be scheduled (see Scheduling Reports ).

See also:

What is the Report Library?

The Report Library is only visible to reporting administrators. It contains all available pre-defined reports included with Enterprise Reporter, organized by type of discovery. Reports in the library cannot be modified or moved, so you need to first copy them to My Reports or Published Reports if you would like to work with them. If reports in the library contain values in their parameters, those values will be included when the report is copied.

See also:

Reports Included in Enterprise Reporter

The reports included in Enterprise Reporter are located in the Report Library, and can only be seen by reporting administrators. The reports include the results of all discoveries that have been run on the server to which the console is connected. If you would like to customize a report, you need to create a copy in My Reports or Published Reports and modify it. If reports in the library contain values in their parameters, those values will be included when the report is copied.

See also:

Active Directory Reports

The following table describes the Active Directory reports included in the Report Library. If you are a report user, your administrator may have made some of these reports available in Published Reports. For each report, you must specify the domains on which you want to report.

You can configure Enterprise Reporter to save your favorite parameter values within each report type. Your favorites can then be loaded when running reports that contain these parameters.

For more information, see how To enter a parameter value .

 

Account Expiration Date

Shows the account expiration date for the selected accounts. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Account Operators

Shows the members of the account operators group for the selected domains. Contains a parameter to select the domains to be included in the report.

Accounts that can change any property of any user in the selected domains

Shows accounts that can change any property of any user in the selected domains. Includes any accounts that are permissioned through group membership. Contains a parameter to select the domains to be included in the report. You may also set the maximum recursion depth for this report.

The folder level value will start from zero.
Examining the path of C:\FolderA\FolderB,
C:\ is 0 levels deep.
FolderA is 1 level deep.
FolderB is 2 levels deep.

Accounts that can change group membership of any group in the selected domains

Show accounts that can change group membership of any group in the selected domains. Includes accounts that are permissioned through group membership. Contains a parameter to select the domains to be included in the report. You may also set the maximum recursion depth for this report.

Active Directory Permissions

Shows all Active Directory permissions for the selected domains and Active Directory objects. Contains parameters to select the domains, organizational units, object types, objects, and accounts to be included in the report. Also includes the option to filter inherited or explicit permissions.

Active Directory Permissions for Account

Shows the Active Directory permissions for an account, including permissions derived through group membership. Contains parameters to select the account, domains, organizational units, object types, and objects to be included in the report. Also includes the option to filter inherited or explicit permissions.

Active Directory Permissions for Account with Membership

Shows the Active Directory permissions for an account, including permissions derived through group membership. If you choose to include nested groups, membership of the groups is displayed. Contains parameters to select the account, domains, organizational units, object types, and objects to be included in the report. Also includes the option to filter inherited or explicit permissions.

All Accounts

Shows accounts of all types including trust accounts and InetOrgPerson accounts. Contains parameters to select the domains and account type to be included in this report.

All Names for Active Directory Users

Shows all the Active Directory names for the selected user accounts. Contains parameters to select the domains, organizational units and accounts to be included in the report.

Circular Nested Domain Groups

Shows information about groups which recursively contain themselves for the selected domains. Contains a parameter to select the domains to be included in the report.

Disabled Accounts

Shows all the disabled accounts for the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Accounts

Shows all the domain accounts for the selected domains. Contains parameters to select the domains, organizational units, accounts, and account scopes to be included in the report.

Domain Computer Information

Shows the domain computer information in selected domains. Contains parameters to select the domains, organizational units, and computers to be included in the report.

Domain Controller Information

Shows domain controller information for the selected domains. Contains parameters to select the domains, domain controllers, and organizational units to be included in the report.

Domain Groups

Shows all the domain groups for the selected domains. Contains parameters to select the domains, organizational units, domain groups, and group scopes to be included in the report. Also contains the option to include only security enabled groups.

Domain Groups and Members

Shows the group membership for the selected domains and groups. Contains parameters to select the domains, organizational units, and domain groups to be included in the report. Contains a parameter to include nested group memberships and options on how they are displayed in the report. For more information, see Searching for Parameter Values . Technical Documentation.

Foreign groups only appear if they were included in the applicable discovery. For more information, see the Quest Enterprise Reporter Configuration Manager User Guide in the Technical Documentation.

 

Domain Groups with Probable Owners

Shows the domain groups for the selected domains and suggests the account that manages the highest percentage of members of each group as the probable group owner. Contains a parameter to select the domains to be included in the report.

Domain Groups without Members

Shows all the domain groups which do not have any members. Contains parameters to select the domains, organizational units, and domain groups to be included in the report.

Domain Sites

Shows all the sites for the selected domains. Contains parameters to select the domains and sites to be included in the report.

Domain Summary

Shows a domain summary for the selected domains. Summary information is only available if Active Direct discovery collections that include object counts for the selected domains have been completed. Contains parameters to select the domains and organizational units to be included in the report.

Domain Trusts

Shows all the trust relationships for the selected domains. Contains parameters to select the domains and trusts to be included in the report.

Domain Users

Shows all the domain users for the selected domains. Contains parameters to select the domains, organizational units, and accounts to be included in the report. Also contains the options to include only disabled or only locked domain user accounts.

Domain Users at Risk

Shows the users who match one or more of the selected risk factors and therefore may pose a security risk in the selected domains. Includes a summary of risk factors used as criteria for this report. Contains parameters to select the domains to be included in the report. Also contains the option to include users that:

Domain Users with Recent Logons

Shows users in the selected domains who have logged on in the selected time frame. Contains parameters to select the domains, organizational units, and users to be included in the report. Also contains the option to include users that have logged on in the past _ days.

Domain Users without Recent Logons

Shows users in the selected domains who have not logged on in the selected time frame. Contains parameters to select the domains, organizational units, and users to be included in the report. Also contains the option to include users that have not logged on in the past _ days.

Group Managed Service Accounts and Members

Shows all the group managed service accounts and their members for the selected domains. If you choose to include nested groups, membership of the group members is displayed. Contains parameters to select the domains, organizational units, and group managed service accounts to be included in the report.

Group Member Comparison

Shows the direct and indirect users that are members of the selected groups. Contains parameters to select up to 5 groups.

Group Membership by Domain Account

Shows all groups to which the selected domain accounts belong. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Group Membership Comparison

Compares the direct and indirect group memberships of the selected accounts. Contains parameters to select up to 5 accounts.

Locked Out Accounts

Shows all the locked out accounts for the selected domains.Contains a parameter to select the domains to be included in the report.

Managed Service Accounts

Shows all the managed service accounts for the selected domains. Contains parameters to select the domains, organizational units, and managed service accounts to be included in this report.

Managed Service Accounts and Members

Shows all the managed service accounts and their members for the selected domains. Contains parameters to select the domains, organizational units, and managed service accounts to be included in this report.

Member Servers

Shows the member server information for the selected domains.Contains parameters to select the domains and organizational units to be included in the report.

Published Printer Information

Shows published printer information for the selected domains.Contains parameters to select the domains and printers to be included in the report.

Published Share Information

Shows published share information for the selected domains. Contains parameters to select the domains and shares to be included in the report.

Recursive Group Membership by Domain Account

Shows recursive group membership for the selected domain accounts. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Remote Access Profile (RAS) Information

Shows RAS information for the selected user accounts. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Remote Control Settings Information

Shows terminal services remote control settings of the users for the selected domains. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Resultant Kerberos Configuration for Domains

Shows the resultant Kerberos GPO configuration for selected domains. Includes a parameter to select the domains to be included in the report.

Terminal Services Profile Information

Shows terminal services profile information of the users for the selected domains. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Users At Risk Of Token Bloat

Shows the users who are at risk of token bloat in the selected domains. You can select the number of security groups permitted for users in these domains. This report will only include groups from your selected domains. Contains a parameter to select the domains to be included in the report.

Users Not Logged On In The Past 30 Days

Shows users in the selected domains who have not logged on in the past 30 days. Contains a parameter to select the domains to be included in the report.

User That Have Never Logged On

Shows users in the selected domains who have never logged on. Contains a parameter to select the domains to be included in the report.

Users with An Exchange Mailbox

Shows Active Directory Users that have an Exchange mailbox as set by the Active Directory Connector. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Health Check | Active Directory

 

Active Directory Permissions - Dangerous permissions delegated

Shows all Active Directory permissions for the selected domains and Active Directory objects. These permissions can be used to attack Active Directory. For information about attack types, see https://attack.mitre.org/mitigations/M1015/

Active Directory Permissions - Domain Controller Owners

Shows all Active Directory permissions for the selected domains and Active Directory objects. The Domain Administrators group or the Enterprise Administrators group are set as owners for domain controllers. For details, see Privileged Account Management at https://attack.mitre.org/mitigations/M1026/

Active Directory Permissions for Account (Everyone)

Shows the Active Directory permissions for an account, including permissions derived through group membership. (Excluding Deny Permissions and Change Password permissions).

Active Directory Summary

Shows the summary of Active Directory Users and Groups for the selected domains. Contains a parameter to select the domains to be included in the report.

AdminSDHolder Permissions

Shows all Active Directory permissions for the selected domains and Active Directory objects. For more information see Protected Accounts and Groups in Active Directory at https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory and Active Directory Configuration at https://attack.mitre.org/mitigations/M1015/

Domain Accounts (Users and Groups) with SID History Attribute not empty

Shows all the domain accounts for the selected domains which can leave accounts open to Access Token Manipulation: SID-History Injection attacks. Adversaries can use SID-History Injection to escalate privileges and bypass access controls. For details, see https://attack.mitre.org/techniques/T1134/005/

Domain Controllers by Site Name

Shows the domain controller per site for the selected domains. Contains parameters to select the domains and sites to be included in the report.

Domain Controllers with Global Catalog by Site Name

Shows the domain controller with global catalog per site for the selected domains. Contains parameters to select the domains and sites to be included in the report.

Domain Functional Level

Shows the domain functional level for the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Groups and Members (Pre-Windows 2000 Compatible Access)

Shows the group memberships for the selected domains and groups. If you include nested groups, the membership of the groups is displayed. For details, see https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7a76a403-ed8d-4c39-adb7-a3255cab82c5?redirectedfrom=MSDN and Exploitation of Remote Services https://attack.mitre.org/techniques/T1210/

Domain NetBIOS Name

Shows domain NetBIOS name for the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Sites without a Domain Controller

Shows domain sites that do not contain a domain controller for the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Sites without a Global Catalog

Shows domain sites that do not contain a global catalog for the selected domains. Contains a parameter to select the domains to be included in the report.

FSMO Role Holders by Forest

Shows flexible single master operation (FSMO) role holders for the selected forests. Contains parameters to select the forests and domains to be included in the report.

Number of Domain Controllers

Shows the number of domain controllers for the selected domains. Contains a parameter to select the domains to be included in the report.

Number of Domains per Forest

Shows the number of domains for the selected forests. Contains a parameter to select the forests to be included in the report.

OU Structure

Shows the OU structure for the selected domains. Contains a parameter to select the domains to be included in the report.

Read-Only Domain Controllers

Shows read-only domain controllers for the selected domains. Contains a parameter to select the domains to be included in the report.

Size of Active Directory Database

Shows the size of the Active Directory database for the selected computers. Contains parameters to select the domain and organizational units to be included in the report.

Health Check | Computer

 

Computer Services on Domain Controllers (Print Spooler)

Shows information about the services for the selected computers. (Enterprise Reporter Windows Server License must be available). More details at https://adsecurity.org/?p=4056

Disabled Computer Accounts

Shows disabled computer accounts for the selected domains. Contains parameters to select the domains and organizational units to be included in the report.

Domain Computers by Operating System

Shows domain computers per operating system for the selected domains. Contains parameters to select the domains, organizational units, and operating systems to be included in the report.

Domain Computers Having Constrained Delegation

Shows domain computers for selected domains that have constrained delegation.

Domain Computers Having SID History

Shows domain computers for selected domains that have some value specified in SID History attribute.

Domain Computers Having Unconstrained Delegation

Shows domain computers for selected domains having unconstrained delegation.

Domain Computers whose sAMAccountName Does Not End In a Dollar Sign

Shows domain computers for selected domains whose sAMAccountName does not end in a a Dollar Sign.

Health Check | Group

 

Domain Groups with Duplicate Display Names

Shows domain groups with duplicate display names in the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Groups with Only One Member

Shows domain groups with only one member for the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Groups without a Display Name

Shows domain groups without a display name for the selected domains. Contains a parameter to select the domains to be included in the report.

Privileged Domain Groups and Members

Shows the group memberships for the selected domains and groups. These privileged groups should have as few members as possible. DNSAdmins should have no members. If you include nested groups, the membership of the groups is displayed. For details, see Privileged Account Management https://attack.mitre.org/mitigations/M1026/

SID History Auditing Group available in Domain (Migration in Progress)

Shows if a SID History auditing group has been created in the domain.

Health Check | User

 

Active Directory Permissions - Delegations for Accounts that cannot be resolved

Shows all active directory permissions for the selected domains and active directory objects. These permissions can be used for attacks. For details, see Active Directory Configuration https://attack.mitre.org/mitigations/M1015/

Built-in AD Administrator Account Usage

Shows native Administrator account in selected domains who have logged in selected timeframe.

Disabled Accounts

Shows disabled accounts for the selected domains. Contains parameters to select the domains and organizational units to be included in the report.

Domain User Accounts that are Sensitive and Cannot be Delegated

Shows all domain user accounts for selected domains that cannot be delegated.

Domain Users that will Expire in Next (N) Days

Shows domain users that will expire in next N days for the selected domains. Contains parameters to select the domains and the number of days to be included in the report.

Domain Users who do not require a password

Shows all domain users for selected domains who do not require a password.

Domain Users who do not require Kerberos Pre-Authentication

Shows all domain users for selected domains where the account is configured with the "Do not require Kerberos pre-authentication" option. Kerberos pre-authentication is a security feature which offers protection against password-guessing attacks. When you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for authentication.

Domain Users with Duplicate Display Names

Shows domain users with duplicate display names in the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Users with Duplicate Email Addresses

Shows domain users with duplicate email addresses in the selected domains. Contains a parameter to select the domains to be included in the report.

Domain Users with weak DES encryption enabled

Shows all domain users for selected domains that have weak DES encryption enabled. DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication.

Domain Users without a Display Name

Shows domain users without a display name for the selected domains. Contains parameters to select the domains and organizational units to be included in the report. Also contains the options to include only disabled or only locked domain user accounts.

Domain Users without a First Name

Shows domain users without a first name for the selected domains. Contains parameters to select the domains and organizational units to be included in the report. Also contains the options to include only disabled or only locked domain user accounts.

Domain Users without a Last Name

Shows domain users without a last name for the selected domains. Contains parameters to select the domains and organizational units to be included in the report. Also contains the options to include only disabled or only locked domain user accounts.

Exchange Mailbox Users with Duplicate Display Names

Shows exchange mailbox users with duplicate display names in at least two selected domains. Contains a parameter to select the domains to be included in the report.

Exchange Mailbox Users without a Display Name

Shows Active Directory users without a display name that have an Exchange mailbox. Contains parameters to select the domains, organizational units, and accounts to be included in the report.

Expired Accounts

Shows expired accounts for the selected domains. Contains a parameter to select the domains to be included in the report.

Golden Ticket Mitigation - Last Password Change for krbtgt account

Shows user password information for the krbtgt account. Attackers who have the krbtgt account password hash can forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.

Privileged Accounts that are Sensitive and Cannot be Delegated

Shows all privileged accounts for selected domains that are configured with the "Account is sensitive and cannot be delegated" option.

Privileged Accounts that have Not Logged In

Shows privileged accounts in selected domains having unchanged passwords and have not logged in.

Privileged Accounts Vulnerable to the Kerberoast Attack

Shows all privileged user accounts that are vulnerable to the Kerberoast attack. Kerberoasting is an attack technique that attempts to crack the password of a service account within the Active Directory.

Privileged Accounts with Unchanged Passwords that Logged In

Shows privileged accounts in selected domains having unchanged passwords and have logged in.

User Account(s) that have Constrained Delegation

Shows all the domain users for the selected domains that have TRUSTED_FOR_AUTH_DELEGATION enabled. For details, see https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

User Account(s) that have Unconstrained Delegation

Shows all the domain users for the selected domains that have TRUSTED_FOR_DELEGATION enabled. For details, see https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Users That Cannot Change the Set Password

Shows users that cannot change the set password for the selected domains. Contains parameters to select the domains and organizational units to be included in the report.

Users with Password Set to Never Expire

Shows users with password set to never expire for the selected domains. Contains parameters to select the domains and organizational units to be included in the report.

Migration Assessment

 

Detailed Computer Information for Migration

Shows detailed information for the selected computers. The report includes the following sections to assist with migration efforts: for Local Groups, Local Administrators, Installed Software, Services, User Profiles, Shares and IP Addresses.

Note: Computer detail information is only available if Computer and Active Directory collections that include the selected computers have been completed.

Contains parameters to select the domains and computers to be included in the report.

Duplicate Domain Computers

Shows duplicate computers in the selected domains. Two or more domains must be specified. Contains a parameter to select the domains to be included in the report.

Duplicate Domain Groups

Shows duplicate groups in the selected domains. Two or more domains must be specified. Contains a parameter to select the domains to be included in the report.

Duplicate Domain Users

Shows duplicate users in the selected domains. Two or more domains must be specified. Contains a parameter to select the domains to be included in the report.

QMM Matching Computers

Shows computers that have been migrated (using Quest Migration Manager) from the selected source domain into the selected target domain by comparing the Object GUID of the source computer to the Extension Attribute 15 of the target computer. Contains parameters to select the source domain and the target domain for this report.

QMM Matching Groups

Shows groups that have been migrated (using Quest Migration Manager) from the selected source domain into the selected target domain by comparing the Object GUID of the source group to the Extension Attribute 15 of the target group. Contains parameters to select the source domain and the target domain for this report.

QMM Matching Users

Shows users that have been migrated (using Quest Migration Manager) from the selected source domain into the selected target domain by comparing the Object GUID of the source user to the Extension Attribute 15 of the target user. Contains parameters to select the source domain and the target domain for this report.

Passwords

 

Accounts that can change or reset password for any user in the selected domains

Shows accounts that can change or reset the password of any user in the selected domains. Includes any accounts that are permissioned through group membership. Contains a parameter to select the domains to be included in the report. You may also set the maximum recursion depth for this report.

The folder level value will start from zero.
Examining the path of C:\FolderA\FolderB,
C:\ is 0 levels deep.
FolderA is 1 level deep.
FolderB is 2 levels deep.

Domain Users with Changed Passwords

Shows all domain users who have changed their password in the selected time frame for the selected domains. Contains parameters to select the domains, organizational units, and users to be included in the report. Also contains the option to include users with passwords that have changed in the past _ days.

Domain Users with Expired Passwords

Shows all users with expired passwords for the selected domains. Contains parameters to select the domains, organizational units, and users to be included in the report.

Domain Users with Older Passwords

Shows all the users who have not changed their password in the selected time frame for the selected domains. Contains parameters to select the domains, organizational units, and users to be included in the report. Also contains the option to include users with passwords older than _ days.

Last Password Change and Logon for Domain Computers

Shows the last password change and last logon for computers in the selected domains. Contains parameters to select the domains, organizational units, and computers to be included in the report.

User Password Information

Shows user password information for the selected domains. Contains parameters to select the domains, organizational units, domain users, and accounts to be included in the report.

 

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating