How to Configure Windows Server 2016 Active Directory Reporting

Active Directory reporting gives administrators and auditors visibility into user accounts, group memberships, password policies, inactive accounts, administrative access, and configuration changes over time. On Windows Server 2016, you can generate comprehensive reports using PowerShell’s ActiveDirectory module, the built-in audit policies, and third-party or scripted solutions. This tutorial covers the most common and operationally useful reports.

Preparing the Reporting Environment

Ensure the Active Directory module is available on the reporting workstation or server:

Install-WindowsFeature RSAT-AD-PowerShell

Import the module and confirm connectivity:

Import-Module ActiveDirectory
Get-ADDomain | Select-Object Name, DomainMode, PDCEmulator

Create a dedicated reports output folder:

New-Item -ItemType Directory -Path "C:ADReports" -Force

User Account Reports

Report all enabled user accounts with their last logon date:

Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate, Department, Title |
    Select-Object Name, SamAccountName, Department, Title, LastLogonDate |
    Sort-Object LastLogonDate |
    Export-Csv "C:ADReportsEnabledUsers.csv" -NoTypeInformation

Report accounts that have not logged on in the past 90 days (stale accounts):

$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -lt $cutoff} `
    -Properties LastLogonDate |
    Select-Object Name, SamAccountName, LastLogonDate |
    Export-Csv "C:ADReportsStaleUsers.csv" -NoTypeInformation

Report all accounts with passwords set to never expire:

Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} `
    -Properties PasswordNeverExpires, PasswordLastSet |
    Select-Object Name, SamAccountName, PasswordLastSet |
    Export-Csv "C:ADReportsPasswordNeverExpires.csv" -NoTypeInformation

Group Membership Reports

List members of all privileged groups (Domain Admins, Enterprise Admins, Schema Admins):

$groups = @("Domain Admins","Enterprise Admins","Schema Admins","Administrators")
foreach ($group in $groups) {
    Get-ADGroupMember -Identity $group -Recursive |
        Get-ADUser -Properties Department |
        Select-Object @{N="Group";E={$group}}, Name, SamAccountName, Department |
        Export-Csv "C:ADReportsPrivilegedGroups.csv" -NoTypeInformation -Append
}

Report all groups and their member counts:

Get-ADGroup -Filter * -Properties Members |
    Select-Object Name, GroupScope, GroupCategory, @{N="MemberCount";E={$_.Members.Count}} |
    Sort-Object MemberCount -Descending |
    Export-Csv "C:ADReportsGroupSummary.csv" -NoTypeInformation

Computer Account Reports

Report all computer accounts and their operating systems:

Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion, LastLogonDate |
    Select-Object Name, OperatingSystem, OperatingSystemVersion, LastLogonDate |
    Sort-Object OperatingSystem |
    Export-Csv "C:ADReportsComputers.csv" -NoTypeInformation

Report computers that have not been active for more than 60 days:

$cutoff = (Get-Date).AddDays(-60)
Get-ADComputer -Filter {LastLogonDate -lt $cutoff} -Properties LastLogonDate, OperatingSystem |
    Select-Object Name, OperatingSystem, LastLogonDate |
    Export-Csv "C:ADReportsInactiveComputers.csv" -NoTypeInformation

Password Policy Report

Report the Default Domain Password Policy and all Fine-Grained Password Policies:

# Default policy
Get-ADDefaultDomainPasswordPolicy | Select-Object ComplexityEnabled, MinPasswordLength, MaxPasswordAge, LockoutThreshold

# Fine-grained policies
Get-ADFineGrainedPasswordPolicy -Filter * |
    Select-Object Name, Precedence, MinPasswordLength, MaxPasswordAge, LockoutThreshold |
    Format-Table -AutoSize

OU Structure Report

Export the full OU hierarchy to a text file for documentation and auditing:

Get-ADOrganizationalUnit -Filter * -Properties Description |
    Select-Object Name, DistinguishedName, Description |
    Sort-Object DistinguishedName |
    Export-Csv "C:ADReportsOUStructure.csv" -NoTypeInformation

Scheduling Reports Automatically

Wrap your report scripts in a master script and schedule it monthly. The following one-liner registers a monthly task to run on the first day of each month at 02:00:

schtasks /create /tn "Monthly AD Report" /tr "powershell.exe -NonInteractive -File C:ScriptsMonthlyADReport.ps1" `
    /sc MONTHLY /d 1 /st 02:00 /ru SYSTEM /f

Send the resulting CSV files to a distribution list as attachments, or copy them to a secured shared drive where compliance and security teams can access them. Consistent reporting builds the audit trail needed for regulatory compliance frameworks such as ISO 27001, SOC 2, and GDPR.