AD Auditor
Start Free Trial

Every Feature.

A complete list of the checks AD Auditor runs and the ways it reports them. Every check is optional, configurable, and supports OU-level exclusions.

Password & Authentication

  • Password Never Expires — accounts with the DONT_EXPIRE_PASSWORD flag set. Common for service accounts, a finding when set on people.
  • No Password Required — accounts where the password requirement is disabled at the account level (PASSWD_NOTREQD).
  • Empty / No Password — accounts with no password value stored.
  • Reversible Encryption Enabled — accounts storing passwords with reversible encryption. Effectively cleartext-recoverable; high severity.

Account Activity

  • Stale Accounts — enabled accounts whose password hasn't changed in N days (configurable, default 90).
  • Stale Logins — enabled accounts that haven't logged in for N days (configurable, default 60). Catches dormant accounts even when passwords are rotated.
  • Disabled Accounts — an inventory of disabled accounts, optionally limited to chosen OUs.

Access & Privileges

  • Privileged Group Membership — accounts in highly privileged groups (Domain Admins, Enterprise Admins, and any group you flag), via memberOf or Primary Group ID.
  • Service Principal Names (SPN) — user accounts with an SPN set, exposing them to Kerberoasting.
  • Missing Required Group Membership — enabled accounts not in a group you mandate domain-wide (e.g. an Enforce-MFA group).
  • Stale AdminSDHolder Accounts — accounts with adminCount=1 that are no longer in any privileged group, a common post-breach persistence marker.
  • Unconstrained Delegation — accounts and computers with the TRUSTED_FOR_DELEGATION flag, a known privilege-escalation surface.

Account Information

  • Missing Title / Manager / Department / Company / Description — enabled user accounts with these attributes blank.
  • Enabled Contractor Accounts — enabled accounts in a designated Contractor OU whose accountExpires date has passed.

HR Census Reconciliation

Import your HR roster (CSV or XLSX), map its columns to AD attributes, and reconcile the two. Alias rules absorb the inevitable real-world data drift between HR and AD.

  • Match by Name and Match by Email — flag AD accounts not present in the HR roster.
  • Title / Department / Company / Manager mismatches — flag accounts whose AD attribute disagrees with HR, with optional case-insensitive comparison.

Groups

  • Empty Distribution Groups — distribution groups with no members.
  • Empty Security Groups — security groups with no members. Built-in primary groups can be excluded individually.

Inventory

  • All Enabled Users — a straight inventory of every enabled user account, with optional OU exclusions.

Reporting & Export

  • Filter and group — narrow results by check or category before exporting.
  • Three formats — export any result set to .txt (quick paste into a ticket), .csv (open in Excel for sorting and filtering), or .pdf (a clean report for audit binders or management).
  • Local only — reports are generated on your machine and saved wherever you choose. Nothing is uploaded.

How it works

  • Read-only. AD Auditor queries Active Directory over LDAP. It never creates, modifies, or deletes objects.
  • Offline. Runs on your workstation against your own Domain Controller — no agent, no telemetry, no cloud connection.
  • Configurable everywhere. Every check toggles on or off, thresholds are adjustable, and any check can exclude specific OUs or individual accounts.

Questions about a specific check? The FAQ and Security & Trust pages cover more, or email support@corestratagems.com.

Ready to audit your Active Directory?

Download the 14-day free trial and run your first audit in under five minutes.

Start Free Trial Back to AD Auditor