I would like a AD Permissions Report that not only includes the user or group that has has the permission, but also the members of the group. For example, the OOB report shows Group A has Reset Password rights on OU A, but it does not show the Members of Group A. I want the report to show the members of Group A.
Complete permission list or inventory of the Active Directory environment, that identifies who has what, and the ability to rerun and identify changes. This would provide awareness to permission changes within the environment and allow follow up to ensure there are approvals for these changes.
Needs to consider both built-in and delegated permissions. Also, need report, or process, to provide understanding to the user account level (giving consideration to providing understanding of nested group members).
I just have some clarifying questions and thoughts first.
Are you looking for the displaying of the members of the groups recursively, each time a group is found within a permission? From experience, AD permissions can be a very large report, Recursive Group membership can also be a very large report, so combining the two can be even more unmanageable? Might you know if there is a large number of groups/members and levels of nesting in your environment?
Are you also looking to fully expand the group "Domain Users" every time it is encountered?
Is the report going to be rendered to the screen/paper, or is it the report to be exported to CSV?
Just an alternative thought, which may or may not help, but in some cases people have found it useful to validate the directly permissioned accounts, and then using the "Expand Group members" parameter of the "Domain Groups with Members" report to validate the correct members are in each group. This would involve looking at two reports, but would remove a lot of duplication of group memberships and could be easier to read.
I understand the concerns with displaying of the members of the groups recursively, but that is what they want to see. They do not want to have two different reports and then have to compare them manually.
As this is a AD permissions report, they also are looking for changes to the permissions. There are built in Change History reports for AD, Groups etc. Does the AD Change History report include AD Permissions? If not then I will also need a AD Permissions Change History report that includes the groups and the members of each group.
For example, today I run the AD Permissions report and it states that Group A has reset password rights on OU A and Group A has Joe, Bill And Fred as members. After my next Discovery I run the a AD Permissions Report and it sates that there is a change that not only does Group A have reset password rights on OU A but also Group B. Group A membership has changed, Joe is no longer a member of Group A. Group B Membership has Joe, Tom and Harry.