Microsoft’s Active Directory is a very widely used access management system. It controls user accounts for Exchange Server, SharePoint Server, and just about every Microsoft product that requires user credentials. The service extends its competence out beyond the product catalog of Microsoft because it is used by many other software systems and guards access to network-connected devices.

Here is our list of the nine best AD Documentation tools:

  • SolarWinds Access Rights Manager EDITOR’S CHOICE An Active Directory management system that includes a reporting module. Start a 30-day free trial.
  • ManageEngine ADManager Plus (FREE TRIAL) On-premises Active Directory monitoring software that runs on Windows Server and Windows. Start a 30-day free trial.
  • ManageEngine ADAudit Plus (FREE TRIAL) An activity tracking system that links to AD and records the events that occur on sensitive data, assigning those actions to specific users. Runs on Windows Server. Start a 30-day free trial.
  • N-able Passportal An online IT documentation platform and password manager.
  • IT Glue Cloud-based password manager and documentation management system.
  • XIA Configuration An IT infrastructure documentation tool that includes an Active Directory monitoring module.
  • José Active Directory Reporting A simple, free tool for recording AD controller statuses. Available as a command-line utility or with a GUI interface.
  • ADScribe Lightweight Active Directory reporting tool that runs from the command line or through a Wizard.
  • Active Directory Report Builder An AD report query builder that displays results within the app and allows data to be exported.

With so many uses of Active Directory, mastering control of the Active Directory system is very important for system administrators. The terminology of Active Directory can sometimes be a little confusing. Sometimes, busy people with lots of other responsibilities can get a little mixed up between domains, forests, and trees. Without having a clear idea of the divisions, the hierarchies, commonalities, and segregation of domain controllers and permission relationships, things can get messy.

Managing Active Directory

The only way to keep on top of the complicated relationships between users, devices, and the Active Directory implementation structure is to document it all.

Launching an Active Directory documentation project is a difficult task. A big decision to make is over the structure of the documentation. However, somebody who particularly needs to get the system documented to help foster better understanding and improve management probably won’t be able to think up a documentation structure.

Fortunately, there is guidance available on the correct format of an Active Directory documentation store.

See also: Best AD Management Software

Active Directory data security

Writing out how the domain controllers are organized and listing the permissions contained in them creates a second source of the Active Directory data. That information shouldn’t be proliferated and duplicating it outside of the secure environment of Active Directory increases risk.

The data contained in Active Directory needs to be kept confidential. Having that data lying around the office in printed documents or accessible as text documents somewhere on a company server creates a security weakness. So, the Active Directory information store needs to be secured with encryption and user credentials for access. For the sake of disaster recovery, the store of Active Directory documentation should be held away from the company’s primary site.

Active Directory auditing

As a centralized access rights manager, Active Directory is very important to data security standards compliance. In order to get certification for security protection standards such as PCI-DSS or HIPAA, a company needs to demonstrate that it has proper access rights management in place. Auditing for these standards and to supply proof in case of GDPR legal action requires Active Directory documentation.

The best Active Directory Documentation tools

You probably don’t have time to research all of the options for Active Directory documentation and auditing. This report has done the hard work for you, creating a shortlist for those looking to improve Active Directory management.

You can read more about these tools in the following sections.

Our methodology for selecting Active Directory documentation tools

We reviewed the market for Active Directory documentation software and analyzed the options based on the following criteria:

  • Secure storage for AD documentation with credential needed for access
  • A query tool for exploring entries in Active Directory
  • Utilities that enable you to assess account structures
  • A system that highlights abandoned accounts
  • Measures to analyze user group effectiveness
  • An assessment period, such as a free trial
  • Good value that is provided by a complete set if tools marketed at a reasonable price

1. SolarWinds Access Rights Manager (FREE TRIAL)

The SolarWinds Access Rights Manager covers Active Directory, Microsoft Exchange, Windows File Share, and Microsoft SharePoint. The tool shows visual representations of the current objects in your AD implementation. Factors that can be seen include user groups and permission inheritance.

Key Features:

  • Generates maps between objects
  • Group analysis
  • Permissions refining
  • Customizable reports
  • Compliance reporting

As well as permissions management functions and a self-service portal for users, the tool includes analysis functions that support data security standards compliance and help you meet service level agreement conditions. The tool includes activity logging.

The AD analyzer includes data sorting and filtering functions. These enable you to assemble your own reports. The tool also includes a reporting module that has pre-written formats that comply with data protection standards auditing requirements.

The software installs on Windows Server and is available for a 30-day free trial. SolarWinds also produces a free alternative, called SolarWinds Permissions Analyzer for Active Directory. This free tool doesn’t have all of the data visualizations or management functions of the Access Rights Manager.

Pros:

  • Provides a clear look into permission and file structures through automatic mapping and visualizations
  • Preconfigured reports make it easy to demonstrate compliance
  • Any compliance issues are outlined after the scan and paired with remediation actions
  • Sysadmins can customize access rights and control in Windows and other applications

Cons:

  • SolarWinds Access Rights Manager is an in-depth platform designed for sysadmin which may take time to fully learn

2. ManageEngine ADManager Plus (FREE TRIAL)

EDITOR’S CHOICE

SolarWinds Access Rights Manager is our top pick for an Active Directory documentation tool because its graphical representations of user accounts and groups and account to device mappings make managing objects in AD a lot easier. Being able to look at a hierarchy of your permissions structure makes mistakes and oversights clearer. Analysis features in the package help you to tighten up access rights and improve security by eradicating opportunities for insider threats. The Access Rights Manager is compliant with GDPR, HIPAA, and PCI DSS. The services will also manage SharePoint and Exchange user accounts.

Download: Get a 30-day free trial

Official Site: https://www.solarwinds.com/access-rights-manager/registration

OS: Windows Server

If you prefer to host your AD monitoring software on-site rather than accessing it at a cloud service, then ManageEngine ADManager Plus is probably your best option. This package is a very comprehensive interface to Active Directory and crucially, includes a reporting engine that will help you document your Active Directory implementations.

  • Fronts for multiple AD instances
  • Good for Exchange Server and Skype for Business
  • Organize user groups
  • Improve permissions structure

The reports generated by ADManager Plus cover users, distribution lists, security groups, computers, and contacts. It covers cloud-based AD implementations as well as onsite Active Directory statuses. The tool is also able to cover Exchange Server, Skype, and other applications that utilize Active Directory for access rights.

ADManager Plus is available in three versions: Free, Standard, and Professional. The Free edition is limited to managing one domain. The Standard version has a wider scope and the Professional edition includes Help Desk modules. The Free edition download file is exactly the same as the Professional edition file. ManageEngine offers the Professional on a 30-day free trial. Once that month expires, the program switches to the limited Free edition.

  • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)

  • Supports multiple domains

  • Supports delegation for NOC or helpdesk teams

  • Allows you to visually view share permissions and the details of security groups

  • Has a steeper learning curve than similar tools

ManageEngine ADManager Plus Start a 30-day FREE Trial

3. ManageEngine ADAudit Plus (FREE TRIAL)

Businesses that hold personal data need to protect that information from theft and misuse. ManageEngine ADAudit Plus is an activity tracker that is a suitable tool for implementing data protection and compliance reporting for data privacy standards.

  • Sensitive data protection
  • User activity tracking
  • Compliance audit trail

A big requirement of data privacy standards is the requirement of proof for compliance. Authentication of compliance requires extensive logging of all system activities. You don’t just need to keep your system secure, you need to prove that you did.

ADAudit Plus takes user account information from Active Directory and tags all data access activities with user IDs. This provides an audit trail for compliance and also protects data, providing live alerts if unexpected events occur. The system uses user behavior analytics to spot anomalous behavior that could indicate an insider threat or an account takeover.

ManageEngine ADAudit Plus runs on Windows Server. ManageEngine doesn’t offer this system on its own cloud platform but the tool is available on the AWS and Azure platforms through their Marketplaces. It is offered in three editions, which are called Free, Standard, and Professional. The free version is limited to monitoring activities on 25 workstations. The Standard version gives you activity monitoring and compliance reporting. The Professional edition adds on GPO controls and AD status snapshots. You can assess AD Audit Plus with a 30-day free trial.

  • Security measures including USB controls and file integrity monitoring

  • Data access activity logging, attributed to the user involved

  • Compliance reporting for HIPAA, PCI DSS, GLBA, GDPR, and SOX

  • Protection for AD against tampering

  • No hosted cloud option

ManageEngine ADAudit Plus Start a 30-day FREE Trial

4. N-able Passportal

The N-able Passportal package contains a password manager and  documentation manager tools. This bundle gives you the opportunity to back up your Active Directory entries and also store the documentation that you wrote about your AD implementation.

  • Active Directory backup
  • Password manager
  • Compliance reporting

The password management system can sync with Active Directory. This gives you the backup facility to recover the system in case of disaster. The interface of the password manager is much easier to deal with than the standard Active Directory interface. It makes such tasks as automatic email rotation to force regular password changes easier to implement. Changes made in Passportal get rolled out to the Active Directory implementation automatically.

If you need to document Active Directory in order to prove compliance to data protection standards, you can run the necessary audit reports off Passportal instead of from Active Directory. Any documentation you do make about Active Directory can be uploaded into the SolarWinds Document Manager for storage.

N-able Passportal is a cloud-based service that includes remote storage space. This keeps your Active Directory settings and all of your stored system documentation safe from on-site disasters or tampering. Access to Passportal is guarded by credentials and storage and transmission of data are all protected by encryption.

Passportal is paid for by subscription. It is marketed as a tool for managed service providers (MSPs) so that they can add password management as a service that they offer to their clients. However, it would also be suitable for multi-site businesses that have centralized IT management. You can register for a demo to see it in action.

  • Supports automatic Active Directory sync via LDAP

  • Can run access audits to easily identify internal changes made during a period of time

  • Supports compliance reporting to identify weak passwords and force changes base on policy

  • Users generate their own encryption key, securing their cloud data from third parties, including Passportal

  • Smaller networks may not benefit from the MSP/enterprise-specific tools Passportal offers

5. IT Glue

IT Glue is a property of Kaseya and it is aimed at MSPs. However, it could also be used by the IT department of a multi-site company. This tool is very similar to Passportal because it includes password and document management.

  • Standardizes object definition
  • Extracts account and permissions
  • Compliance auditing

Documenting Active Directory with IT Glue is really easy. The system includes a library of templates that act as add-ons to the functionality of the tool. One of these templates specifically relates to Active Directory implementations.

Part of the Active Directory template’s function is the ability to document the current status of the Active Directory controllers in your business and their contents. The Active Directory monitor in IT Glue includes links to documentation related to AD. This interface acts as an index to your AD documentation and also gives you a road map to what documents need to be created,

The Active Directory monitor is part of the password management module in IT Glue. The system is a cloud-based service and includes storage space. This makes an ideal package for documenting Active Directory because the document management module also includes an editor. This means that it is possible to create your documentation within the IT Glue environment and store it there.

Data transfers and document storage with IT Glue are all password protected and encrypted for security.

The IT Glue service is charged per user per month with a minimum subscription of five users. The system is offered in three editions: Basic, Select, and Enterprise. All versions include the password manager with Active Directory monitoring and the document management and storage system.

  • Works well in MSP environments as well as in mid-size organizations

  • Offers a robust library of templates to get started quickly

  • Manages documentation as well as credentials

  • Smaller networks may not benefit from the MSP/enterprise-specific tools the product offers

Related post: IT Documentation Software Solutions

6. XIA Configuration

XIA Configuration from Centrel Solutions is an IT infrastructure documentation system. The tool will also record all equipment configurations and software versions and alert system administrators of unauthorized changes, offering the opportunity to rollback configurations.

  • Active Directory auditing
  • Deployment options
  • Suitable for MSPs

The documentation system includes formats that are required for system security standards compliance. The Active Directory module of this documentation tool audits all of the statuses of your AD controllers. These reports can be edited and stored and they can also be branded. The XIA Configuration system can be multi-tenanted, allowing it to be used by MSPs for use supporting clients.

The XIA Configuration system is available as on-premises software or as a service hosted in the cloud. The cloud version does not have as many features as the on-premises software – it doesn’t allow advanced security options, branding, or report editing.

The system is available in three editions: Technician, Enterprise, and Unlimited Enterprise. The technician and Unlimited Enterprise editions will document all of the equipment in your system with one license. The Enterprise version is charged per device, so you would have to buy multiple licenses to document your whole system with that version.

XIA Configuration is a very interesting system documentation and configuration protection tool. Centrel Solutions offers the software on a 30-day free trial.

  • Monitors configuration changes and can be configured to alert contacts to new changes

  • Multi-tenant features make it a good choice for MSPs

  • Integrates easily into Active Directory

  • The cloud version lacks some features found on the on-premise version such as reporting or custom branding

  • Enterprise pricing is based on device, rather than number of technicians

7. José Active Directory Reporting

José Active Directory Reporting is a small,  free piece of software that produces nice, presentable screens of information about an Active Directory controller. Reports are produced in HTML, but they could be printed to PDF or cut and pasted into a Word document.

  • Extracts Active Directory data to HTML
  • Allows external analysis
  • On-premises package

The tool has a GUI interface, which allows the user to select which information should be extracted from the AD controller. There is also a command-line version that enables reports to be launched through scripts.

The tool was originally written with German-language text but is now also available in English. It installs on Windows and Windows Server. This is a great tool for small companies that just want to record the current status of their AD controllers. The zip file that contains the program also includes a command-line script that will run all of the standard AD status reports that a typical systems administrator wants. For status monitoring, it would be possible to run this batch file periodically on a schedule.

8. ADScribe

  • Completely free

  • A lightweight tool – runs well even on older systems

  • Supports a CLI version

  • Better suited for smaller companies

  • Automation and scheduling is clunky, involving batch files and Task Scheduler

  • The interface doesn’t offer much customization or visual options

  • Not suited for larger networks

ADScribe from Leadum Software is a simple Active Directory reporting tool that runs on Windows and Windows Server. Output can be stored as HTML, the CHM help format, or Microsoft Word.

  • Extracts the hierarchy of AD accounts
  • Documents permissions structure
  • Fast reporting

This is a lightweight tool that runs quickly. It can be launched through a Wizard or at the command line. The reports generated by the tool list the objects in the AD controlled with the details for each.

9. Active Directory Report Builder

  • Can be controlled through the CLI tool

  • Very lightweight

  • Automatically generates common reports on users, objects, and OU structure

  • Antiquated interface

  • Very little data visualization offered

  • Steeper learning curve than similar tools

The Sysmalogic Active Directory Report Builder can produce reports for all the domains in your Active Directory implementation. The tool’s output is in either CSV or Excel-ready format.

  • Export objects
  • Search, sort, and filter
  • Multi-domain

The GUI interface for the tool is a query builder that allows the user to specify which Active Directory details will appear in the report. The results of the report query execution are displayed in the Report Builder screen and can then be saved for access by other applications. It is also possible to copy and paste data into other editors.

The tool is available in both free and paid versions. The full version is available on a 30-day free trial. If you decide not to pay at the end of the trial period, the software switches over to the free version.

  • Supports flexible reporting output formats

  • Highly customizable query builder allows users to build their own reports

  • Reports can be saved and ran again

  • Available for free and as a paid option

  • Can be difficult to use for users who have never used query builders before

  • The interface uses a lot of nested menus, which can make finding things difficult

Choosing an AD documentation tool

You might just need a tool that enables you to get a clearer view of your Active Directory objects and their relationships or you might need a full data protection standards auditing tool. This list contains a wide range of Active Directory documentation tools and hopefully, one of them will match your needs.

Some of the tools on this list are free to use, while most of the others offer free trial periods. Try out a few of the tools for free to help you decide which is best for you.

Do you already have a preferred Active Directory documentation tool? Do you use any of the tools on this list? Leave a message in the Comments section below and share your experience with the community.