Review Accounts with AD Bridge Entitlement Reporting

Entitlement reporting can provide a detailed analysis of accounts. You can use it to help review how group memberships impact access for users. You can also use entitlement reports as part of your regulatory compliance efforts.

The AD Bridge Enterprise agent includes a User Monitor service that logs entitlement changes detected from local accounts and groups on each end-point computer, as well as Active Directory (AD) changes that could affect account access and roles on computers.

All detected changes in entitlement are recorded in the Event Log subsystem for each AD Bridge Enterprise agent. Using event forwarding, this data can be sent to an AD Bridge Enterprise audit collector computer that can provide reporting across a centralized, enterprise-wide database.

For AD users, the User Monitor reports only the users who have access to the computer due to the RequireMembershipOf setting. If RequireMembershipOf is not enabled, a special pseudo user is reported. If the computer is running in Schemaless mode, the pseudo user uses the All Users accessible from domain %s format; otherwise the pseudo user uses the All Users in cell %s format.

The User Monitor only reports the AD groups of which at least one of the reported AD users is a member.

The following entitlement reports are available.

Access Privileges by User

This entitlement report, organized by user name, shows which users can log into which computers and how that list has changed over time. The state of access privileges at the start date and end date are compared. Intermediate changes are not shown, so if a new user is added then deleted in the middle of the reporting time span, no change is shown in the report.

The status date field indicates the date of the last change to the user during the report time span. If a user was added and later the user's UID was changed, the date of the UID change is shown in the report.

When all of the fields in multiple rows match except for Computer Name and Status Date, those rows are collapsed so that one row is shown with a space separated list of the computers to which it applies.

When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk.

Access Privileges by Computer

This entitlement report, organized by computer name, shows which users can log into which computers and how that list has changed over time. The state of access privileges at the start date and end date are compared. Intermediate changes are not shown, so if a new user is added then deleted in the middle of the reporting time span, no change is shown in the report.

The status date field indicates the date of the last change to the user during the report time span. If a user was added and later the user's UID was changed, the date of the UID change is shown in the report.

When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk.

Access Privilege Changes

This entitlement report shows changes to user privileges by date. Every change is shown, including changes that are later undone. This report does not provide a list of all users who can log into the computers, only those users for which there have been changes.

When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk.

Access Privilege Daily Changes

This entitlement report shows changes to user privileges on a daily basis. Every change is shown, including changes that are later undone. This report does not provide a list of all users who can log into the computers, only those users for which there have been changes.

This report provides the same information as the Access Privilege Changes by User report, but with simplified search criteria.

When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk.

Account Attribute Inconsistencies

This entitlement report shows conflicts between UID, username, and GECOS.