Domain Auditor

News (as of March 25, 2006):

The .40 release is nearly ready. New features include the ability to report on group memebership, the ability to either display reports on screen or send them via email. The final pieces being worked on are the ability to run all reports on a scheduled basis and have them emailed to an email address (definable on a per report basis). Once scheduled reports are done I will need to update the documentation and update the installation procedures to handle both new installs or upgrades. The new release should be out on Sourceforge by March 31st (date slipped due to work heating up).

This tool was written to audit and track accounts within a domain. This tool uses LDAP queries to a definable Active Directory server to find various definable classes of accounts. Initially it will operate interactively, but capabilities may be added in the future to automate functions (i.e. generate reports on a scheduled basis). The installation script handles most installation chores, so setup is very straightforward. The tool is beta status at this time, but is in being used to generate SOX reports for my employer.

Technology - Apache, mySQL, PHP. Written and tested on Linux by should work on other operating systems. Uses PHP_LDAP and PHP_MYSQL.

Licensing - Free to use, modify and distribute under the terms of the GNU GPL


Reports - This function will display a list of defined reports, when invoked it will generate a list of accounts from AD (via LDAP queries) the results returned will depend on what you have defined for the filter for any particular report class under Sysadmin

Sys Admin - This function will allow you to changes the system settings for LDAP server and port, base DN, Bind DN, username and password, and the database settings (mySQL only at this time). You may also add the report class definitions and their matching LDAP filters within this module

User Admin - This screen is used to define users for the system and their rights. Usernames are used as the primary value, and entered values are validated via LDAP queries

Audit Logs - The system logs all changes to the information stored and this page will allow you to review the data from these logs

Theory of Operation

The goal of this tool is to provide a framework under which reporting and tracking of pooled or generic accounts in an Active Directory domain becomes manageable. This is accomplished by entering meaningful data in an organized fashion to fields in Active Directory, primarily structured data entered into the Description field. Data is entered into the Description field as:

Account Class : owner name (SAMaccountName) : Description/Purpose

The account classes you enter should also be defined under the sysadmin module with the matching LDAP query that will return only those accounts that match. In this fashion listings may be obtained that show the owners of these accounts. More details on how to use Domain Auditor can be found in the README file.

Screenshots can be found here


Download avaialble from the project page on Sourceforge


Download the tarball and place it in your web root (/var/www/html or other directory depending on your distribution)

Extract the files using the command tar -zxcf domainauditor-x.xx

Rename the directory from auditor-x.xx to auditor using the command mv auditor-x.xx auditor

Set permissions so that ID your web server runs under has permissions to the files using the command chmod -R apache:apache auditor (your web server may run as a different ID such as nobody)

Point your browser to and follow the instructions.

Feeback and Support

Use the Sourceforge Project Forums to get support. If you download and use the package please drop a note in one of the forums to let me know how it is working out for you. I'm very interested in feedback on how it works and areas for improvement.

Project hosting provided by Sourceforge Logo
Domain Auditor ©2006 Mike Seigafuse