Group Policy Details Test

An active directory may contain organization units, groups, user accounts, group policy objects etc. To centrally manage all the components of the active directory, the directory services use different group policies. Group Policies are applied to users, groups and organizational units. Group Policy uses directory services and security group membership to provide flexibility and support extensive configuration information. Policy settings are specified by an administrator. This is in contrast to profile settings, that are specified by a user. Policy settings are created using the Microsoft Management Console (MMC) snap-in for Group Policy.

From an administrator's point of view, it is essential for the administrator to ensure that the components of the active directory are well-utilized. From time to time, administrators need to take stock on the organizational units, groups, user accounts etc. This will help administrators in identifying the user accounts that were inactive and the organizational units and groups that were empty. This exercise will help administrators in fine-tuning the active directory and retain the most sought organizational units and groups and identify active user accounts. The Group Policy Details test helps administrators in this regard!

This test tracks the number of organization units, groups and group policy objects in the target active directory environment. The organization units and groups that were empty are identified so that administrators can analyze whether/not to retain them. The inactive user accounts too are identified. The group policy objects that were disabled and empty are also quickly identified. By analyzing the measures provided by this test, administrators can scale the logical components such as organizational units, groups etc within the target active directory.

Target of the test : An Active Directory or Domain Controller on Windows

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

Inactive Days

By default, the value specified against this parameter is 90 days. This implies that the user accounts in the domain controller or active directory will be considered as inactive after a period of 90 days.

Detailed Info

By default, this flag is set to No, indicating that by default, the test does not generate detailed measures for the measures, so as to conserve storage space. If you want the test to generate and store detailed measures for information events, set this flag to Yes.

Show Organizational Unit DD

By default, this flag is set to No. Accordingly, this test, by default, will not report detailed diagnostics for the Organizational units and Empty organizational units measures. To view the list of Organization units and empty Organizational Units on the domain controller or active directory, set this flag to Yes.

Show Group DD

By default, this flag is set to No. Accordingly, this test, by default, will not report detailed diagnostics for the Groups and Empty Groups measures. To view the list of groups and empty groups in the domain controller or active directory, set this flag to Yes.

Group Name

Specify the name of the active directory group for which the test should report metrics. By default, none is specified against this parameter indicating that this test will report metrics for all the active directory groups, by default.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Organizational units

Indicates the total number of organizational units on the domain controller being monitored.

Number

Organizational Unit (OU) is a container in Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to another user.

The detailed diagnosis of this measure if enabled, lists the organization units, the date on which the OUs were created, the date on which the OUs were modified, the objects associated with the OUs, the flag operation and the version.

Empty organizational units

Indicates the number of organizational units that are empty on the domain controller.

Number

The detailed diagnosis of this measure if enabled, lists the organization units that were empty, the date on which the OUs were created, the date on which the OUs were modified, the objects associated with the OUs, the flag operation and the version.

Groups

Indicates the number of groups on the domain controller being monitored.

Number

The Active Directory groups is a collection of Active Directory objects. The group can include users, computers, other groups and other AD objects. The administrator manages the group as a single object.

The detailed diagnosis of this measure if enabled, lists the groups, the date on which the groups were created, the date on which the groups were modified, the objects associated with the groups, flag operation and the version.

Empty groups

Indicates the number of groups that are empty on the domain controller.

Number

The detailed diagnosis of this measure lists the groups that were empty, the date on which the group was created, the date on which the group was modified, the objects within the group, flag operation and version.

Inactive user accounts

Indicates the number of user accounts that are inactive beyond the number of days configured against the Inactive Days parameter.

Number

A high value for this measure indicates that many users are inactive. Administrators can drill down the detailed diagnosis to identify the user accounts that were inactive and remove them as and when, necessary.

The detailed diagnosis also lists whether the user account is enabled, whether the password expired for the user account, the last login date of the user, the objects associated with the user, flag operation and version.

Group policy objects

Indicates the number of group policy objects available on the domain controller being monitored.

Number

A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory.

Disabled group policy objects

Indicates the number of group policy objects that were disabled on the domain controller.

Number

The detailed diagnosis of this measure lists the name of the group policy objects that were disabled, the category ID, name of the owner, the date on which the GPOs were modified, the flag operation and version.

Empty group policy objects

Indicates the number of group policy objects that were empty on the domain controller.

Number

The detailed diagnosis of this measure lists the name of the group policy objects that were empty, the name of the owner, the date on which the GPOs were created, the PS object name, the flag operation and version.

Unlinked group policy objects

Indicates the number of group policy objects that were not linked to any site, domain or active directory containers.

Number

The detailed diagnosis of this measure lists the name of the group policy objects that were not linked, the name of the owner, name of the owner, the date on which the GPOs were modified, the flag operation and version.

Inactive group policy objects

Indicates the number of group policy objects that were inactive on the domain controller.

Number

Administrators can drill down the detailed diagnosis to figure out the group policy objects that were inactive.

Group policy objects with no settings enabled

Indicates the number of group policy objects on which policy settings are disabled.

Number

The detailed diagnosis of this measure lists the name of the GPOs on which settings are disabled, the date on which the GPOs were created, the date on which the GPOs were modified, the account name, the PS object name, the flag operation and the version.

Group memberships changed

Indicates the number of group memberships that were changed on the domain controller.

Number

The detailed diagnosis of this measure lists the distinguished name of the group, the created date, the modified date, account name, PS object name, flag operation and version.