What is the Security View?

The ADsecurity Security View is used for creating, modifying, and running security reports. It contains Active Directory Security Reports, File & Share Security Reports, Mailbox Security Reports, and Printer Security Reports. In addition, the Security View contains several security tools used to manage ACLs on your network, available in the ribbon.



Security View Layout



General

The security view in ADsecurity provides an easy way to view and modify security reports, as well as modify ACLs throughout your network. The interface is divided into four main components, described in detail below.

The Ribbon
The ribbon is positioned across the top of the interface, and has buttons to switch report categories, create a new report, or modify the currently open report. It also contains links to the Search & Replace and Analyze & Clean tools.

Report Tree
The Report Tree is shown on the far left side of the interface. It contains the reports within the selected category in the ribbon bar.

Report Properties
The Report Properties pane is displayed to the immediate right of the Report Tree and contains all of the settings for the currently selected report in the Report Tree.

Report Preview
The Report Preview pane is shown on the far right side of the interface, and displays a preview of the selected report in the Report Tree.

The Ribbon



The ribbon in the report view provides three primary functions:

  1. Switching between report categories
  2. Modifying the current category by adding, removing, or editing reports
  3. Launching tools to manage ACLS on your network

You can switch between report categories by clicking a button in the Security Reports panel. Selecting a report category from the ribbon populates the Report Tree with reports from that category. By default, the Active Directory Security Reports category is selected.

The buttons in Report Editor and Preview panels in the ribbon are used for modifying the currently selected category. The New Report button will launch the New Report Wizard to guide you through the process of creating a new report. The New Folder button will create a new folder in the Report Tree to help you organize your reports. The Delete button will remove the selected folder or report from the Report Tree. The Make a Copy button will make a copy of the selected report. The Save button is used to save any modifications to the currently open report. Finally, the Run button will run the currently selected report. As you might expect, the Zoom In and Zoom Out buttons will control the Report Preview pane, allowing you to get a better look at the sample report.

The remaining buttons on the ribbon are used to launch tools for modifying ACLs. Use the Search & Replace tools to make changes to specific ACEs. The Analyze & Clean tools are used for identifying and repairing common problems in ACLs. The final button, Undo, is used to undo changes made by the Search & Replace or Analyze & Clean tools.

Report Tree

The Report Tree displays all reports in the currently selected category. Selecting a report from this tree will load the report into the Properties Pane and Preview Pane to the right. Reports are sorted within folders. You can create new folders for organizing your reports using the New Folder button in the Report Editor panel of the ribbon.


Report Properties

The Report Properties pane contains all of the properties for the currently selected report in the Report Tree. The properties are divided into groups as follows:

Property Group Description
Header Set the title and sub-title text.
Footer Set the footer text and choose whether or not to display a page number and date.
Columns Modify existing columns on the report, and set which column to use as the sort column.
Scope Set the scope of the report and a filter to apply if you don't wish for every item within the scope to appear on the report.
Ace Options Toggle showing the owner, permission, and auditing rights of the ACL in the report output.
Display Options Specify additional display options for security reports. The contents of this section depend on the specific type of report.
Layout Set the paper properties for the report. These properties only apply to reports if they are printed.
Output Choose whether to automatically save or email the report after it runs.

Modifying Report Columns



The Report Properties pane also contains four buttons along the top to modify the report columns. Click the first icon to add a new column to the report. Click the second button to remove the selected column. The third and fourth buttons will move the selected column up or down within the report.

Report Preview

The Report Preview pane displays a preview of the report populated with sample data, if possible. Any changes made in the Report Properties pane will be reflected here. Although the Report Preview pane is designed predominantly as a Print Preview feature, it is possible to modify some properties, such as the Column Width property for each column, by interacting directly with the report in the Report Preview.





Clicking on any component of the report in the preview will select the corresponding property in the Report Properties pane. You can adjust the column sizes in the preview by dragging the dividing lines between the columns in either direction. Also, you can change a column's properties by double-clicking on the column's header in the Report Preview.


New Report Wizard

The New Report Wizard is used to create new, custom, Active Directory reports. To access the New Report Wizard, click the New Report button in the ribbon. After clicking Next on the introductory page, you'll be presented with the Header and Footer page. The following sections of this document will explain this page, and each of the remaining pages of the New Report Wizard.

Header and Footer Page



The Header and Footer page allows you to add title, subtitle, and footer text to the report. The title of the report must be unique, but the subtitle and footer text can contain whatever information you'd like. Also on this page, you can choose to display the date and/or page numbers in the footer of the report.

Columns Page



The Columns page allows you to set up the columns on the report. By default, an appropriate name column is added to the report based on the type of report you're creating. For instance, a column that shows the canonicalName attribute is automatically added to reports in the User Reports category. You can select this column and use the Modify button to change properties for the column. This includes setting which AD Attribute (or Common Property) the column will display, the width of the column, and the column title and formatting. The Add button is used to add new columns to the report. The Remove button is used to delete the selected column from the report. And, as you might expect, the Move Up and Move Down buttons will shift the selected column accordingly. At any time, you can refer to the preview pane at the bottom of the page to see how the columns will look on the report.

Security Rights Page

The Security Rights page is used to filter which security rights will appear on the report. This page is slightly different for each category of security reports, so we'll look at each one separately:

Active Directory Security Reports



Use the Security Rights section to choose which types of security rights to display on the report:

Security Right Description
Owner Display the owner of the object on the report.
Permissions Display the ACL permissions on the report.

Use the Objects section to filter the object types to display on the report:

Object Type Description
Containers Show permissions for containers on the report.
Leaf Objects Show permissions for all leaf objects on the report.
Note: You may not select this option and Selected Object Types at the same time.
Selected Object Types Chose this option if you only want to see permissions for leaf objects of type User, Group, Computer, Contact, and/or Printer. Use the checkboxes on the right to choose which of these object types will appear on the report.
Note: You may not select this option and Leaf Objects at the same time.

File & Share Security Reports



Use the Security Rights section to choose which types of security rights to display on the report:

Security Right Description
Owner Display the owner of the object on the report.
Permissions Display the ACL permissions on the report.
Auditing Display the auditing rights of the ACL on the report.

Use the Objects section to filter the object types to display on the report:

Object Type Description
Shares Show permissions for shares on the report.
Directories Show permissions for directories on the report.
Files Show permissions for individual files on the report.

Mailbox Security Reports



Use the Security Rights section to choose which types of security rights to display on the report:

Security Right Description
Owner Display the owner of the object on the report.
Permissions Display the ACL permissions on the report.

Print Queue Security Reports



Use the Security Rights section to choose which types of security rights to display on the report:

Security Right Description
Owner Display the owner of the object on the report.
Permissions Display the ACL permissions on the report.
Auditing Display the auditing rights of the ACL on the report.

Report Scope Page



The Report Scope page is used for choosing which objects will appear on the report. The grid at the top of the page is used to specify containers in which to search for objects to add. In the image above, our report is set to display every user within the Javelina Software/Engineering OU, and every user directly within the Javelina Software/Sales OU to the report. It will not include users within Javelina Software/Sales/Maryland due to the scope level of This Object and Its Children.

The filter grid below is used to further limit the objects in these containers. Only objects that match the filter specified will be shown on the report. For more information on using filters, see How do I create a filter? in the FAQs.

Report Output Page



The Output page has options for automatically saving and emailing the completed report. Check the Create an output file with the names and data contained in the report box to set the report to automatically save itself to a file after executing.

Select a file type and separator from the combo boxes, then browse for a location to store the report file. You can use the %reportname%, %year%, %month%, %day%, and %time% parameters in the file name field to avoid conflicts with existing files. For an example of how these parameters are used, click the down arrow at the end of the field to see existing name templates.

At the bottom of this page is a checkbox labeled Send output via email. Select this box, then enter the email address for one or more recipients in the To: field, to have the report automatically email itself after execution. You can click the Options button to see more email settings.

Ok, now what?

Once you've completed the New Report Wizard, your new report will appear in the Report Tree on the far left side of the report view and be opened into the Report Properties and Preview panes. You can run your newly created report by clicking the Run button in the ribbon.


Security Tools

In addition to Security Reports, the Security view has several tools used to modify ACLs on your network. These tools are located on the far right of the ribbon in the Search & Replace, Analyze & Clean, and Edit panels.



There are two versions of the Search & Replace and Analyze & Clean tools, one that works on Active Directory object ACLs and one that works on file ACLs. As the two versions are quite similar, we'll discuss them together below. The final button on the ribbon, Undo, is used for undoing changes made by any of the security tools.

Using Undo Files

In order to undo changes made by the Security tools, an Undo file must have been created at the time the tool was run. Without this file, it is not possible to revert changes made by these tools. Take a cautious approach when modifying ACLs on your network.

Search & Replace ACL tools



ADsecurity's Search and Replace ACLs tools are used to make security changes in bulk on your network. These tools have 4 main modes, which you can switch between using the Options checkboxes:

Mode Description
Search & Replace This is the default mode. Find all instances of the object in the Find what field and replace them with the object in the Replace with field.
Remove object instead of replacing Find all instances of the object in the Find what field and remove them. Ignores the Replace with field.
Add object instead of replacing Find all instances of the object in the Find what field and add the object in the Replace with field to the ACL, using the same permissions as the Find object.
Replace always Set the owner to the object in the Replace with field. Ignores the Find what field.

The Replace in options tell the tool where in the ACL to perform the action. In Search & Replace mode, the tool can replace in the Owner field, the ACL, or both. In Add and Remove mode, the tool can only replace in ACLs, and in Replace Always mode, the tool is limited to Owner fields.

The final set of controls on this page relate to creating an Undo file. Check the Create an Undo file box and specify a filename to save a record of the operations performed by the tool. Without an undo file, it is impossible to revert changes made by the Search & Replace tools.

The Locations tab allows you to limit the scope of the tool. Add locations to the grid with the Select button, delete locations with the Remove button, and modify how deep to scan each location by selecting it and choosing an option from the Scope Level button.

Analyze & Clean ACL tools



ADsecurity's Analyze and Clean ACLs tools are used to find and repair common security problems on your network. Below is a list of common security issues that ADsecurity can scan for:

Issue Reason
User/Computer names appearing in the ACL Generally, we recommend to avoid using names of specific accounts in permissions. If the account is deleted, or changes roles within your organization, it can be painful to change the security rights to match. Instead, we recommend that groups be created to represent security roles (eg. Domain Admins, HelpDesk Workers) and security rights be set using these role groups. ADsecurity can scan for and warn you of any objects with individual user or computer accounts in the ACL.
User/Computer names appearing in the Owner Field This is recommended against for the same reason as above. It is preferable to use groups to assign security rights.
Check for empty ACLs Empty ACLs will deny access to all users.
Check for missing ACLs Missing ACLs will allow access to all users.
Check for deleted objects in ACEs When individual user accounts are included on the ACL, they can leave behind remnants if the user is moved or deleted. ADsecurity can check for deleted objects in ACLs and remove them.
Check for unknown SIDs in ACEs Unknown SIDs may refer to previously deleted accounts. In this case, it is safe to remove them from any ACLs on your network.

ADsecurity can remove deleted objects from ACEs and/or remove unknown SIDs from ACEs. To do this, check the corresponding boxes in the Clean ACLs section and click the Run button to proceed. We recommend that you create an Undo file so that you can revert the changes in case the changes you make cause problems.

Like in the Search & Replace tools, the Locations tab allows you to limit the scope of the tool. Add locations to the grid with the Select button, delete locations with the Remove button, and modify how deep to scan each location by selecting it and choosing an option from the Scope Level button. After the search locations are finalized, click Run to run the tool. Tools can be run on a schedule by selecting Run Later off of the Run dropdown, or run in simulation mode with the Run Simulation option. Running a simulation will show the output as running normally would, however no changes will occur.