Enterprise Reporter: Why would I want to collect group members in discoveries other than Active Directory discoveries?

In my previous article, I provided an overview of When to Use a Shared Data Location to Improve Collection Times.  Today, let's take a look at collecting group members in discoveries.

In discoveries other than Active Directory® discoveries, you have the option to collect group members. If you do collect group members in the discovery, you can include group membership information in certain reports in the Report Manager. These reports expand each group within each report or as a sub-report (depending on the options you select) to show not only what groups have permissions, but the members of those groups that gain those permissions by being a member.

NTFS discoveries offer the most common use case of collecting group membership. For all file, folders or shares collected in the discovery, you have the option of also collecting group membership. This enables the user to run NTFS reports and include group membership for file, folder and share permissions.

Be aware that collecting group memberships may increase the discovery time substantially if a large folder structure is selected.

Computer discoveries offer the option to collect group members. If you choose to collect group members, you can include group membership in Computer reports.

SQL discoveries offer the option to collect group members, so you can include group memberships in the SQL reports.

Registry discoveries offer the option to collect registry key permissions, which includes the option to collect the group membership of those permissions. With opting to include group in the discovery you will have the option in the registry reports to include group membership.

How is group membership shared across the discoveries?

Accounts and group members are stored in common tables shared by all the discoveries, so you might not have to collect group members with all your discoveries because they might already be available. For example, if you have already run an Active Directory discovery on your entire domain, accounts and group members from that domain are already stored in the database. If you then run a computer discovery on computers in that domain, you really do not need to collect group members because the data is already available. Keep in this in mind when designing your discoveries, so you don’t duplicate your efforts.

How do I include group memberships in reports?

For those reports that include group membership, you have options on how to display the results in the report.

In the example below, we selected Expand Inline excluding members of Domain Users Group, which displays groups and their permissions with the members of each group listed below. Members of the Domain User Groups are excluded.

For more information on configuring discoveries, see the Enterprise Reporter Configuration Manager User Guide. For more information on running reports, see the Enterprise Reporter Report Manager User Guide.

In our next installment, Ruslan will discuss how to collect additional attributes in discoveries.