Sunbelt Directory Inspector

Easily analyze all your directories

If your organization is currently in transition from Windows NT Server 4.0 or Novell Directory Services (NDS) to Windows Server 2003 or Windows 2000 Server, you know headaches are ahead. Besides the actual migration duties, you must contend with multiple sets of proprietary tools to manage your disparate network directories. In addition to NT 4.0 and NDS, you might have a third-party directory service. How can you get a good picture of all your directory structures and objects?

Sunbelt Software's Sunbelt Directory Inspector 1.5 is a new tool that lets you analyze your organization's disparate directories and create comprehensive reports about their structure, security, integrity, and policy compliance. Sunbelt has been around for a long time, and historically, the company has repurposed and resold software, serving as a clearinghouse for cool tools. However, Directory Inspector is one of the first tools the company has developed in-house, so I was curious to give it a try.

Inspecting Directories
Directory Inspector provides a unified console for querying network directories in both pure Windows environments and mixed environments. You use the Directory Inspector console--instead of a variety of network directory tools, such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or Novell's ConsoleOne--for one-stop viewing of all your directories. The Directory Inspector console uses the permissions already present on the directories to restrict undesired poking around and access.

Installing Directory Inspector was a straightforward, wizard-driven process that proceeded without a hitch. I downloaded the software from the company's Web site, navigated through three wizard screens, and was finished.

The next step is to tell Directory Inspector about your directory sources. Directory Inspector can tie together a full or partial view of multiple directories, including NT 4.0's directory service, Active Directory (AD), NDS, IBM SecureWay and Sun Microsystems' iPlanet. Directory Inspector can also use any other Lightweight Directory Access Protocol (LDAP)-enabled directory sources (such as Sun Microsystems' iPlanet) but provides no enhanced reporting abilities for these sources.

Next, you tell Directory Inspector which containers within the directories you want to view. Although directory service administrators have access to view the entire hierarchy, in many cases, you'll want to use Directory Inspector to limit this view by creating a collection of directory sources called a Directory Profile. For example, if you're in charge of the Nurses accounts in a hospital and the Nurses accounts are in both AD and NDS, you might want to create a Directory Profile that combines the view of just the Nurses organizational unit (OU) in AD and the Nurses OU in NDS. Figure 1 shows an example of how to select the containers from which you want to pull data for a profile.

When you run queries against a Directory Profile, Directory Inspector doesn't directly query the directories. Rather, the program imports the required data into Directory Inspector and maintains the data in encrypted files. When you first create a Directory Profile, the Sunbelt Directory Inspector Wizard asks you whether you want to add this Directory Profile to a list of profiles whose data is imported regularly or whether you want to import this profile's data immediately, as Figure 2, page 29, shows. A separate scheduling applet called the Directory Importer lets you specify the frequency for importing profile data.

Pulling data from the source directories might take a while. Importing the data from my test directory, which contains less than 1000 users, took about 5 minutes. After you import the data from your directory sources, you're ready to start using Directory Inspector to create reports.

The report templates that Directory Inspector provides range from basic to useful to those you'll likely rarely use. There are two main categories of reports: Directory Analysis and Forensics/Discovery. The first category yields a host of basic reports, such as Duplicate User Names, Inactive User Accounts, and User Account Usage. Organizations often want to ensure that usernames or computer names follow a standard. One report promised to help track down errantly named objects, but in my tests, it simply verified that the attributes, such as account name, were within a certain character-length range.

Reports in the Forensics/Discovery section allow for more detailed analysis of objects that match specified criteria. For example, you can locate all accounts with the word temp in the name. Other reports in this category let you list users by group, list users by directory location, and graphically display the relationships among your AD OUs.

These examples of reports might not sound very exciting; however, the power of Directory Inspector lies in its ability to aggregate data from a variety of directory services. You can then use the data in the reports to fix or delete errant groups or accounts.

Some reports generate output in the included Crystal Decisions' Crystal Reports format; you can print these reports directly to your printer or export them to well-known file types including Microsoft Excel, PDF, and HTML. Other reports let you use a Windows Explorer–style interface to drill down into low-level object data. Still other reports generate handsome graphs. For example, Figure 3 shows a graphic of the location of all the user accounts in a domain.

Final Thoughts
Directory Inspector's UI was often difficult to navigate. It's not an MMC snap-in, so it's harder to integrate with my usual toolset. I also sometimes found it difficult to locate the report I wanted. The wizard interface is branching and hierarchical, which means you must click forward and back to locate the task or report you want to view. I would have preferred a tabbed interface that lets you select any point in the process. The UI for selecting directory objects to analyze doesn't show the entire path to the container you choose in the profile, so honing your queries about a desired directory service is cumbersome. Directory Inspector has an alternative Expert interface as well, but it didn't make locating the attributes and the reports I wanted to run any easier. I expect a few UI snags in version 1.x of a product; I hope that future versions make it easier to find the desired data and reports.

Directory services are designed to be easy to query. Thus, you could write your own Microsoft Active Directory Services Interface (ADSI)– or LDAP-compliant scripts and gather the same data that Directory Inspector does. However, most organizations don't have anyone on staff who has the time to create custom reports such as the ones Directory Inspector produces. Take the software for a test drive, and see whether the reports it generates are worth the relatively low cost of this reporting tool.

Contact: Sunbelt Software * 727-562-0101 or 888-688-8457
Price: $495 for each administrator console,
plus 25 percent of product list price for 1 year of maintenance
Decision Summary
Pros: Generates useful reports about AD and other LDAP directories
Cons: Can be hard to find desired report; UI sometimes tough to navigate

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.