Active Directory & Group Policy Documentation Tool

Keep an up-to-date record of your domain and policy configuration

Save time by using our Active Directory and Group Policy documentation tool XIA Configuration to automatically document your domain and policy configuration. Record a history of all changes, prove compliance, and streamline troubleshooting.

Generate always up-to-date documentation with version control and custom branding
Run reports to get the data you need for auditing your domain and Group Policy Objects (GPOs)
Compare items and track changes to expose incorrect configuration ^†

Use automatic search and detection to discover and document Windows machines that are members of your domain.

XIA Configuration has a non-intrusive architecture with agentless data collection.

Watch Demo Video

Active Directory Documentation Example

View an example Active Directory document generated by XIA Configuration:

Active Directory documentation example generated by XIA Configuration

Open Example Document

Watch our Active Directory & Group Policy documentation software in action

This video shows the Active Directory document generation and other features of XIA Configuration.

A video demonstrating our Active Directory documentation software XIA Configuration

Watch the Active Directory tutorial video.

View All Tutorials

Active Directory settings documented by XIA Configuration

Find out more about the Active Directory and Group Policy information documented by XIA Configuration below:

Trusts
General Domain Information
Inter-Site Transports
Domain Hierarchy
Group Policy Objects
Fine-Grained Password Policies
Operations Masters

Sites
Servers
Read-Only Domain Controllers
Schema
Users
Groups
Computers

Screenshot of Active Directory general information in the XIA Configuration web interface

Supported Versions

XIA Configuration supports the documentation of Active Directory on the following versions of Windows:

Windows Server 2019
Windows Server 2016
Windows Server 2012 and 2012 R2
Windows Server 2008 and 2008 R2
Windows Server 2003 and 2003 R2
Windows 2000 Server

Active Directory Trusts

A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain.

This section contains the following Active Directory trusts information:

Source Name
Target Name

Direction
Type (for example Kerberos)

Screenshot of an Active Directory trusts diagram in the XIA Configuration web interface

Screenshot of Active Directory trusts information in a document generated by XIA Configuration

The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, known as the forest root domain however additional domains can be created in the forest.

General Domain Information

Active Directory is a centralized authentication and directory service based around standards such as the Lightweight Directory Access Protocol (LDAP) and Kerberos. It stores information about user accounts, groups, distribution lists as well as information for directory enabled applications such as Microsoft Exchange Server.

This section contains the following general Active Directory domain information:

Domain Name
Domain NetBIOS Name
Domain SID
Domain Functional Level
Forest Functional Level

Forest Name
Forest SID
Logon Timesync Interval
Active Directory recycle bin enabled
Administrators Group information

Screenshot of Active Directory domain information in a document generated by XIA Configuration

Inter-Site Transports

This section contains the following inter-site transports information:

Name
Description

Bridge All Site Links
Ignore Schedules

Screenshot of inter-site transport information in a document generated by XIA Configuration

Site Links

Name
Description
Type
Transport Type

Sites in link
Cost
Replication Interval
Schedule

Screenshot of site link information in the XIA Configuration web interface

Domain Hierarchy

An organizational unit (OU) is a special container within Active Directory into which you can place users, groups, computers, and other organizational units. Group Policy objects (GPOs) can be linked to an organizational unit.

This section contains the following domain hierarchy configuration:

OU Path
OU Name
OU GUID

Group Policy ID
Group Policy Link Name
Group Policy Link Enabled
Group Policy Link Enforced

Screenshot of an organizational unit (OU) in the XIA Configuration web interface

Group Policy Objects

Group Policy is a technology incorporated into Active Directory that allows for centralized management of settings and simplistic software distribution to client computers and servers joined to the domain. Settings are grouped into objects called Group Policy Objects (GPOs). GPOs are linked to an Active Directory domain, organizational units (OUs) and sites.

This section contains the following Group Policy Objects (GPOs) information:

Display Name
GUID
Computer Enabled
User Enabled

Creation and Last Modified Date
User Version
Computer Version
Permissions

Screenshot of group policy object information in the XIA Configuration web interface

Fine-Grained Password Policies

Fine-grained password policies allow the definition of multiple password and account lockout policies for different sets of users in a domain and are available on Windows 2008 and above.

The screenshot below shows fine-grained password policy settings in Windows:

Sample password policy in Windows

XIA Configuration retrieves this information and displays these settings in its web interface:

Name
Precedence
Description
Minimum Password Length
Password History
Password Must Meet Complexity Requirements
Store Password Using Reversible Encryption
Minimum Password Age

Maximum Password Age
Last Updated
Creation Date
Account Lockout Policy
Account Lockout Duration
Reset Failed Logon Attempts After (minutes)
Applies To (accounts)

Screenshot showing fine-grained password policy settings in the XIA Configuration web interface

Auditing fine-grained password policy configuration can help you provide information aligned to PCI DSS requirement 8.2.4 and requirement 8.2.5.

Operations Masters

Active Directory is a multi-master system where each domain controller has autonomy for read and write operations there are however five special Flexible Single Master Operation Roles (FSMO) which must be assigned to specific domain controllers. All roles can be assigned to a single domain controller or can be distributed between domain controllers.

XIA Configuration retrieves the role holder for each FSMO role:

Infrastructure Master
Domain Naming Master
PDC Emulator

RID Master
Schema Master

Screenshot showing the FSMO role holders in a document generated by XIA Configuration

Active Directory Sites

Active Directory sites represent the physical structure, or topology, of a network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology and permits clients to locate the nearest resources such as domain controllers or distributed file system (DFS) servers.

A site consists of well-connected networks as determined by the subnet addresses assigned to that site.

XIA Configuration provides much of the information displayed in the Active Directory Sites and Services tool:

Name and Description
InterSite Topology Generator
Location

Subnets in this Site
Universal Group Membership caching
Site and Server Replication Schedules

Screenshot of an Active Directory site in the XIA Configuration web interface

Active Directory Servers

For detailed information about Windows servers, view the Windows Machine page >

This section contains the following information about server configuration:

Server Name
Is Global Catalog
Operating System
Security ID
Replication Connections
Replication Schedule
Bridgehead server transports

Query Policy
Manufacturer
Model
Processors
Serial Number
Service Pack
Directory Service Installation Paths

Screenshot of Active Directory server information in a document generated by XIA Configuration

Read-Only Domain Controller (RODC)

An Active Directory domain controller authenticates and authorizes all users and computers in a Windows domain type network. Every domain controller supports multi-master operations allowing autonomy in the reading and writing information to the directory service with the exception of read-only domain controllers (RODCs) which allow only read-only access to the directory service. RODC servers are useful in less secure physical environments such as a branch office.

In addition to the server information displayed above, XIA Configuration supports the following RODC settings:

Manager
Password replication policy

Screenshot of RODC settings and password replication policy settings in a document generated by XIA Configuration

Active Directory Schema

The Active Directory schema defines all of the objects and attributes that the directory service uses to store data. It is replicated to all domain controllers in all domains in the forest.

This section contains the following Active Directory schema information:

Distinguished Name
Schema Version
Schema Master

Screenshot of schema configuration in the XIA Configuration web interface

Schema Classes

Each object in Active Directory is an instance of an object class defined in the schema. The class contains attributes which determine what information can be stored within it.

Class Name
Type

Status
Description

Screenshot of schema classes information in a document generated by XIA Configuration

Active Directory Users

An Active Directory user account (also referred to as a security principal) provides the ability for a user to logon to the domain. User accounts may also be used as dedicated service accounts for some applications.

This section contains the following Active Directory users information:

General

Name
First Name
Surname
Display Name
Description
Last Logon
Canonical Name
Member Of

Account Settings

SID
User Enabled
User Principal Name
SAM Account Name (pre-Windows 2000)
Account Expiration Date
Account Locked Out
User Must Change Password Setting
User Cannot Change Password Setting
Password Never Expires Setting

Use XIA Configuration to document Local Administrator Password Solution (LAPS) settings >

Profile

Profile Path
Script Path

Screenshot of Active Directory user information in the XIA Configuration web interface

Active Directory Groups

A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members. Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than to each account individually.

This section contains the following information on Active Directory Groups:

Name and Description
SAM Account Name
Canonical Name
Group Scope

Group Type
SID
GUID
Members

Screenshot of Active Directory group details in a document generated by XIA Configuration

Active Directory Computers

Every computer and server machine that joins a domain has a computer account. Like user accounts, computer accounts provide a means for authenticating and auditing access to the network and to domain resources.

This section contains the following Active Directory computers information:

General

SAM Account Name
DNS Hostname
Is Domain Controller
Description
Computer Enabled
SID
Account Locked Out
Last Logon
Member Of
Managed By
Location

Operating System

Name
Version
Service Pack

Object

GUID
Item Type
Path

For detailed information about computers in Active Directory, view the Windows Machine page >

Screenshot of Active Directory computer information in the XIA Configuration web interface

Automatic Search and Detection

Automatically search Active Directory to detect and scan Windows machines including server roles such as IIS, VMware and SQL.

Servers and server roles can also be scanned manually by specifying a list of machine names or IP addresses.

Screenshot of Active Directory search and detection settings in the XIA Configuration Client

Active Directory Reporting

In addition to generating full Active Directory documentation, you can run reports across multiple domains.

Create custom reports to query the full range of data collected by XIA Configuration.

Screenshot showing the Active Directory reports in the XIA Configuration web interface

Example - Domain Groups Summary Report

View a summary of domain groups:

Screenshot showing the Active Directory domain group summary report output in the XIA Configuration web interface

Export to CSV

Export your report to CSV and open it in Microsoft Excel for further analysis:

Active Directory domain groups summary report exported as a CSV and viewed in Excel

Find out more about the reporting feature >

Track Changes and Compare Domains

Compare items to see differences or compare two versions of the same item to see changes.

Screenshot showing the comparison of the latest version with the previous version

Find out more about the item comparison feature >

Mobile Support

Access your Active Directory domain and group policy object configuration on your mobile device.

Screenshot showing Active Directory domain and group policy object configuration on a mobile device

Try our Active Directory documentation tool for free

No commitments. No costs. Try XIA Configuration today.

Download Free 30-Day Trial

View all the systems documented by XIA Configuration >

^† Not currently supported for individual Group Policy Object settings.

Capabilities ▲