Customizable reports of all the users and computers in your directory are essential for maintaining a secure and compliant IT environment. Industry compliance frameworks like PCI require proof that any user accounts inactive for 90 days are consistently removed. Left stagnant, these accounts can be vulnerable to cyberattacks. They also clutter your directory, making it cumbersome to keep track of users and systems for asset management purposes.
With a directory users and computers report, you can easily identify and remove inactive accounts and demonstrate whether the information in your user database is current. This is one crucial step in proving that your team has secure, centralized control over the users and systems in your environment.
Let’s take a closer look at some of the parameters you’ll want to include in this type of report, along with some considerations for how to pull it. We’ll look at one approach using Active Directory®, as well as a more modern solution.
Users and Computers Report Parameters
When creating a directory users and computers report, you’ll want to retrieve more than just a basic list of directory objects. Here are some of the additional properties you may want to pull, and how to use each of them:
- Inventory of local user accounts on each system and their last logon times — ensure that accounts from deprovisioned users are non-destructively deleted at the system level and the directory level.
- OS version and installed patches — demonstrate that each computer meets security baselines and patch any weak links in the environment.
- Installed programs, applications, and browser extensions — confirm that installed software meets company guidelines does not create a security risk.
- System hardware configurations and usage (memory, storage, CPU) — troubleshoot hardware performance issues and prevent them through proactive asset management.
- Systems’ network connections — show proper network segmentation for critical proprietary operations.
- User group associations — demonstrate accurate and organized user group membership as part of a least-privilege user access model.
- Disk encryption status — view the FDE status of each machine’s storage volumes to ensure that all data at rest is encrypted throughout the organization.
How to Pull Directory Users and Computers Reports
Ideally, your central directory service is already configured to handle user authorization and authentication along with system policy management, and it safely stores current versions of the above attributes. All you should have to do is retrieve users and computers info from the database.
When most people think about these functions, they think of Active Directory. If you manage a Windows®-only environment with Microsoft® solutions handling most workloads both on-prem and in the cloud, the AD approach works well. But if your environment also includes Mac® and/or Linux® systems or third-party SaaS products, centralized reporting with AD gets a lot more complicated. IT departments often rely on third-party solutions to manage authorization, authentication, policy control, and reporting for these types of resources, which are difficult to join to the AD domain.
Active Directory Users and Computers Reports
The most efficient way to export a list of users and computers from Active Directory is through PowerShell, the interactive prompt and scripting environment designed by Microsoft to help sysadmins combine and automate management tasks. Depending on how you write your script (or combine a few borrowed ones), you’ll have a high degree of control over the report parameters described above. The primary commands involved are Get-ADComputer, Get-ADUser, and Get-CurrentUserGroups.
If you’re more comfortable customizing spreadsheets than modifying PowerShell scripts, you could also skip the process of adding multiple filters and properties and instead export an exhaustive list of user and computer attributes as a CSV. Then you’d organize the data as desired in your preferred spreadsheet editor.
A number of third-party Active Directory reporting tools also exist, with the goal of simplifying processes for those who’d prefer to avoid PowerShell altogether. But if you’re considering one of these solutions, keep in mind that you’re essentially paying for the interface rather than accessing a deeper level of insights. And this doesn’t necessarily solve the problem for Mac and Linux accounts because they’re likely not joined to AD.
Reporting With a Modern Cloud Directory Service
Rather than tacking on a third-party AD reporting app, some organizations are approaching directory users and computers reports as part of a larger challenge. They’re starting to find frustration with Active Directory’s limitations in managing modern cloud resources and non-Windows systems. Many are discovering that a new, cloud-hosted central directory service can replace their aging AD instance and consolidate access control and system administration for a broad spectrum of IT resources, both on-prem and in the cloud.
This new type of solution, called Directory-as-a-Service®, is the first of its kind in that it can serve as your organization’s core identity provider rather than as one solution in a patchwork of AD add-ons. It gives you remote, GPO-like control over Mac, Windows, and Linux systems, provides security measures like multi-factor authentication and full-disk encryption, and it can manage access to systems, SaaS apps, servers, networks, cloud infrastructure, and more.
Directory-as-a-Service makes key user and computer object data available in its web-based admin console, with more detailed reports customizable via PowerShell. It also offers System Insights™, a powerful OS data reporting tool that remotely provides near-real-time status and usage info from the computers in your environment. System data points available in the UI include OS version, network connections, installed programs, memory, storage, and CPU usage, encryption status, last logon time, and installed browser extensions, among others. You can use this premium System Insights feature to double down on security across your organization while simplifying your asset management and troubleshooting workflows.
If you’re curious about IAM and directory reporting with JumpCloud, try out Directory-as-a-Service. It’s free forever with full functionality for up to 10 users and systems.