Active Directory-Reporting-Tools dot com

Helpful Comparisons of Active Directory Reporting Tools

Helpful Comparisons of Active Directory Reporting Tools

Reporting is an essential component of IT management and Active Directory is the heart of identity and access management and reporting in Microsoft Windows Server based IT infrastructures, particularly for security audit and regulatory compliance.

Active Directory Reports

IT personnel often use Active Directory reporting tools to fulfill their security and access reporting needs. This website provides helpful evaluation factors and tool comparisons of the main Active Directory reporting tools available to help IT personnel make well-informed decisions.

You can either first review the Seven Essential Evaluation Factors, or proceed directly to review the Tool Comparisons.

I. Seven Essential Factors to Consider When Evaluating an Active Directory Reporting Tool –

The following is a list of 7 essential factors that must be considered when evaluating the suitability of an Active Directory reporting tool to fulfill your reporting needs, because, together, these 6 factors provide a well-rounded and objective basis that can help you make a well-informed decision –

Trustworthiness

This is one of the most important yet one of the most overlooked aspects of an Active Directory reporting solution.

It is very important because Active Directory reporting solutions are very often installed on administrative machines and/or used by highly-privileged administrators and thus, in most cases, run in highly powerful administrative contexts. The integrity of (the code of) the reporting solution is thus of utmost importance, because should the code be tamperable or malicious (accidentally or intentionally), it could very quickly inflict substantial damage to organizational security.

The trustworthiness of a reporting solution depends on many factors, such as who built it, where is it built, the physical, system and network security afforded to the tool's code-base, the degree to which the application's integrity can be protected, the proficiency of the developers of the tool, the expertise upon which its reports are engineered, and so on.
Reporting Essentials

This aspect involves an assessment of the essential reporting capabilities of an Active Directory reporting tool, such as the types of reports it can generate (e.g. security, access), the formats it can generate them in (e.g. CSV, HTML etc.), the ease of use, the ability to customize reports (e.g. custom fields, titles, descriptions etc.), and whether the tool offers real-time reporting or reporting based on data pulled into a database at frequent intervals, and so on.
Security Reporting

This aspect involves an assessment of the security reporting capabilities of an Active Directory reporting tool, assessing the various IT management categories covered by the reporting by the tool (e.g. user account management, security group management, etc.) It also takes into account certain specific high-value reports such as true last-logon reports and nested group membership reports, which many organizations find valuable and consider as important.
Access Reporting

This aspect involves an assessment of the ability of the Active Directory reporting tool to generate true access reports.

A true access report is one that accurately determines resultant access in Active Directory to reveal who actually has what access in Active Directory. These are also commonly referred to as delegated access reports or effective access reports. Many reporting solutions claim to offer access reports, but in fact these are not true access reports, but merely security permission reports which simply assess and show who has what permissions in Active Directory.

Who has what permissions in Active Directory is absolutely not the same as who really has what access in Active Directory. This is because the presence of a permission by itself does not determine resultant access, but in fact is just the starting point in making that determination. There are more than one dozen factors that influence who really has what access in Active Directory, and who has what permissions is merely the first factor.

If a vendor claims that they offer access reports, organizations should seek clarification as to whether these are true access reports, or merely security permission reports, as the difference is vast, and because accuracy is absolutely vital when it comes to security, overlooking this factor could in fact lead you to make false access conclusions that endanger security.
Additional Capabilities

This aspect involves an assessment of any additional capabilities that a reporting tool might offer. For example an Active Directory reporting tool could offer the ability to view Active Directory ACLs to search for Active Directory objects.

Additional capabilities enhance the tool's value proposition and subsequently its usefulness and value.
Deployment Overhead

This aspect covers another important yet often overlooked aspect of Active Directory reporting tools, and that is the deployment and maintenance overhead and related cost associated with deploying the Active Directory reporting solution.

For instance, some solutions require that an agent be installed on one or more machines, or a SQL Server be installed, or a network appliance be installed. The installation of an agent, service or server undoubtedly introduces an additional IT resource in your environment, which must also be managed, secured and maintained, resulting in an additional expense.

In addition, in some cases, licensing needs require that certain changes be made to the Active Directory, such as the use of a Service Connection Point or a Schema extension, or the creation and use of a dedicated domain user account of security group. Any introduction of content to the Active Directory creates an additional management overhead and security concern, as this additional content in Active Directory would also need to be managed, secured and maintained.

The deployment overhead of a solution is thus an important aspect of the selection criteria and must not be overlooked.
Pricing and Licensing

This aspect covers the basic but essential factors of product licensing and pricing.

The price of the reporting tool, while important, should never be the most important factor to consider, because in the big picture, given that Active Directory plays such a vital role in your organization, in the long run, a small price difference is almost inconsequential in comparison to the other important factors listed above.

In fact, the licensing model of the tool deserves more attention because as your business requirements change, so might your licensing needs, and a versatile licensing model should be able to accommodate your changing needs. For instance, should you wish to acquire additional licenses, or transfer your existing licenses, or have a license be usable on multiple machines, your tool's licensing model should be able to easily accommodate reasonable changes in your business needs.

The old truism you get what you pay for applies almost universally, and Active Directory reporting tools are no exception.

II. A Comparison of Active Directory Reporting Tools –

The table below provides an objective, summarized view of the main Active Directory Reporting solutions available today, covering the 7 essential factors listed above –

Product	AD Manager+	AD Reporter	JiJi AD Reports	Security Explorer	Quest Reporter	Quest Powershell	Access Manager	Gold Finger
Vendor	Manage Engine	Javelina Software	JiJi Technology	Scriptlogic	Quest Software	Quest Software	Quest Software	Paramount Defenses
1. Trustworthiness
Is vendor a valued Microsoft Directory Services Partner?	.	.	.	.
Is the tool endorsed by Microsoft?	.	.	.	.	.	.	.
Is it architected by a Microsoft Expert?	.	.	.	.	.	.	.
Is the tool provably tamper-proof?	.	.	.	.	.	.	.
Which country is it engineered in?	India	Unknown	India	Unknown	Unknown	Russia	Unknown	USA
2. Reporting Essentials
Can it generate security reports?	.	.	.	.	.	.	.
Can it generate accurate effective access reports?	.	.	.	.	.	.	.
Can it generate customized, ready-to-furnish reports?	.	.	.	.	.	.	.
Can it generate real-time reports? (i.e. no SQL server)	.	.	.	.	.	.	.
Does it offer one-button reporting?	.	.	.	.	.	.	.
3. Security Reporting
AD account mgmt reports available?				.		N/A*	.
Group mgmt reports available?				.		N/A*	.
OU and container reports available?				.		N/A*	.
True Last-logon reports available?		.		.	.	N/A*	.
GPO & SCP reports available?	.	.	.	.	.	N/A*	.
Complete nested group membership reports available?	.	.	.	.	.	N/A*	.
Can custom LDAP filters be applied?	.	.	.	.	.	N/A*	.
Can a specific DC be targeted?	.	.	.	.	.	N/A*	.
Can alt credentials be used?	.	.	.	.	.	N/A*	.
Can PDF reports be generated?	.	.	.	.	.	N/A*	.
4. Access Reporting
Does it offer true access reports?	.	.	.	.	.	.	.
Delegated user account mgmt reports available?	.	.	.	.	.	.	.
Delegated computer account mgmt reports available?	.	.	.	.	.	.	.
Delegated group mgmt reports available?	.	.	.	.	.	.	.
Delegated OU & container mgmt reports available?	.	.	.	.	.	.	.
Delegated GPO & SCP mgmt reports available?	.	.	.	.	.	.	.
5. Additional Capabilities
AD ACL viewiing capability?	.	.	.	.	.	.	.
AD Bulk ACL export capability?	.	.	.	.	.	.	.
AD Permission Analysis capability?	.	.	.	.	.	.	.
AD Effective Permissions Analysis capability?	.	.	.	.	.	.	.
AD Effective Delegated Access Analysis capability?	.	.	.	.	.	.	.
6. Deployment Overhead
No service, server or agent required?	.	.	.	.	.	.	.
No service, server / agent maintenance required?	.	.	.	.	.	.	.
No (zero) changes to AD required?	.	.	.	.	.	.	.
7. Pricing and Licensing
Licenses available worldwide?				.	.	.	.
Consultant licenses available?	.				.	.	.
Per-project licenses available?	.	.	.	.	.	.	.
Unlimited user licenses available?	.	.	.	.	.	.	.
Are licenses transferable?	.	.	.	.	.	.	.
Free Trial-licenses available?	.	.	.		.	.	.
How much does a license cost?	$495 / domain	$395 / domain	$249 / domain	Unknown	Unknown	Unknown	$15 / user	From $499 / domain

This website is designed to provide organizations and IT personnel clear and objective information on the various Active Directory reporting solutions. The information furnished above is based on information available on the websites of the vendors of these reporting solutions.

If you are a vendor of an Active Directory reporting solution listed on this website, and have found any information to be inaccurate, please let us know and we shall be happy to update the information for you. We are committed to providing organizations and IT personnel clear and objective information on the various Active Directory reporting solutions to help them make well-informed decisions. To contact us, please email us at feedback@activedir-reporting-tools.com.

* Quest Powershell, developed in and supported from Russia, is not strictly a report generation tool, but in fact more of a scripting solution. It could be used to generate reports but that involves additional work and effort on an IT admin's part.