Create an Interactive Active Directory HTML Report With PowerShell

Create an Interactive Active Directory HTML Report With PowerShell

I have covered the PowerShell module, “ReportHTML” in a previous article (Create an Interactive HTML Report for Office 365 with PowerShell) where I used it to generate Office 365 tenant reports. The module takes a little bit to learn the syntax and formatting but it’s great if you are not familiar with CSS/HTML as it does most of the heavy lifting for you. I like to generate reports using HTML because the data can be interacted with. You can filter your tables, search for items, change the ordering of the table, and also gather your data in bar and pie graphs.

My end goal was to create an Active Directory overview report using PowerShell. I looked into PSWinDocumentation but ultimately I wanted the report be interactive. I was looking for basic Active Directory items like Groups, Users, Group Types, Group Policy, etc, but I also wanted items like expiring accounts, users whose passwords will be expiring soon, newly modified AD Objects, and so on. Then I could get this report automatically e-mailed to me daily (or weekly) and I can see what has changed in my environment, and which users I need to make sure change their password soon.

An overview report like this is also valuable to managed service providers as they can quickly and easily understand a new clients environment, as well as show the customer their own environment.

While I walk you through the report, you can view it for yourself here

Below is a screenshot of the Groups tab in the report. Since the report is in HTML you can go to the Active Directory Groups table and search for an item and it will filter the table in real time. If you click the header, “Type” it will order the table by group type instead of name. The pie charts at the bottom can also be interacted with. When you hover over a pie chart it will display the value and count. So if you hovered over the purple portion in Group Membership, it will display “With Members: 18” so I know I have 18 groups that have members.

Report Features

Pie Charts

The Pie Charts will show you the value, and the count of what you are hovering over.

 

Search

In the top right corner of my table I can search my table for items. Below I just want to see all results with “Brad”

Header Ordering

By clicking on a different header I can change the sorting of the data. Here I change the data to order it by “Enabled” status, then “Protected from Deletion” and finally “Name”.

 

Report Overview

Dashboard

The Dashboard gives me a quick overview on the entire Active Directory environment. I can see the FSMO role holders, AD Recycle bin status, and all valid UPN suffixes. It also displays membership for Domain and Enterprise Admin groups, and any objects in the default Computers or Users OU. The next table displays every AD Object that has been modified in the last “X” days. You can change the amount of days by changing the variable at the start of the script. I can also see users that have not recently logged on as well as new user accounts that have been created. The Security Logs table display all logs regarding logons.

Groups

As shown earlier, the Groups report displays all of my Groups, membership for Domain and Enterprise admins and more. The bottom pie charts are dynamic and can be interacted with within the report itself.

Organizational Units

The OU tab will display all of my OU’s, modification date, protection from accidental deletion, and any linked Group Policy Objects to that OU. The pie charts below provide a glance at OU’s with GPO links as well as OU’s that are protected from accidental deletion.

Users

The Users report is very detailed, providing an in-depth look at your users and their account health. Right away you can view the total amount of users, users with passwords expiring soon, any expiring accounts, and users that have not logged on recently. The amount of days for each item (password expiring in less than X days) can be easily changed in the beginning of the script.

The Active Directory Users table shows you all of your users and some of the most important user attributes. The next 4 tables will then display expiring password users, expiring accounts, inactive users, and newly created user accounts.

Group Policy

For the Group Policy report, you will see all of your Group Policy objects, their status, modification date, and user and computer versions.

Computers

The Computers report gives you a similar overview as the Users report. Here you can see the amount of computer objects in your environment, as well as the break down for computers operating systems. In my example environment I have a lot of Windows 10 clients and more Server 2012 servers than 2016.

The 2 pie graphs below display the protection status from accidental deletion and enabled computers vs disabled. The last graph will give you a breakdown on the operating systems found in your environment. Here you can visually see how many Windows 10 devices compared to other operating systems are in my environment.

 

Script Overview

You can copy or download the script, and run it on any computer/server with RSAT or Active Directory right out of the box! But, I will explain the 1 module it uses as well as variables you can set if you want to change it to best fit your needs.

Modules

The script requires the ReportHTML module to be installed. It will attempt to install the module if it does not detect it by running install-module. You can also install it manually by running Install-Module ReportHTML in an administrative PowerShell console.

Variables

Unfortunately since I haven’t made this script into a function with parameters (yet!), some items are set using variables at the start of the script.

  • CompanyLogo: Logo that will be in the top left corner of the report
  • RightLogo: Logo that will be in the top right corner of the report
  • ReportTitle: The title for the report
  • ReportSavePath: Where the report will save to
  • Days: Sets the days for “Find users that have not logged on in X amount of days”
  • UserCreatedDays: Sets the days for “Get users who have been created in X amount of days or less”
  • DayUntilPWExpireINT: Sets the days for “Get users whose passwords expire in less than X days”
  • ADNumber: Sets the days for “Get AD Objects that have been modified in X days or less”

Active Directory

Since the script heavily relies on Active Directory, you will need to run it on a device with RSAT (as it gives you the Active Directory module) or domain controller. You just need the Active Directory module to be present on the system that its ran on.

Download / Source Code

You can find the source code either below or on GitHub! On GitHub you can put in feature requests, bugs/issues, and monitor when the code gets updated.

You can also copy the code below

 

13 thoughts on “Create an Interactive Active Directory HTML Report With PowerShell

  1. Outstanding job!! any chance we can get windows 2019 Versions and identify Windows 10 Pro/Enterprise and LTSC in the pie charts. it would also be helpful on the pie charts to put the number of devices rather than hover over them.

    other then that looks great. Wishlist: export to word format for a document to deliver management.

    1. Yes! I will make this setting into a param in the future but for now download the CSS file here

      place it in C:\Program Files\WindowsPowerShell\Modules\ReportHTML\1.4.1.1.

      Then modify this line
      $FinalReport.Add($(Get-HTMLOpenPage -TitleText $ReportTitle -LeftLogoString $CompanyLogo -RightLogoString $RightLogo))

      and make it
      $FinalReport.Add($(Get-HTMLOpenPage -TitleText $ReportTitle -LeftLogoString $CompanyLogo -RightLogoString $RightLogo -CSSName Red))

  2. Awesome job, would be interesting to have a language file so we could use on a different language OS server. (french) 🙂 I already
    Dunno if it’s for the for the language barrier but I receive a “cannot resolve the manager XYZ on the group ABC” when running the “Groups” section
    Thanks

  3. Awesome job! Just needed to translate all security groups into the german counterpart as they were not matching.

    Also: Maybe use the LastLogonTimeStamp instead of lastlogon attribute? If you have more than one domain controller the lastlogon attribute will not be meaningful as it is not replicated between domain controllers.

    LastLogonTimeStamp will be about 14 days minus random percentage of 5 days exact.

  4. Add ability to send email with results?

    # Use the following item to define if an email report should be sent once completed
    $SendEmail = $true
    # Please Specify the SMTP server address (and optional port) [servername(:port)]
    $SMTPSRV = “smtpserver”
    # Would you like to use SSL to send email?
    $EmailSSL = $false
    # Please specify the email address
    $EmailFrom = “fromaddress”
    # Please specify the email address(es) (separate multiple addresses with comma)
    $EmailTo = “emailaddress”
    # Please specify the email address(es) who will be CCd (separate multiple addresses with comma)
    $EmailCc = “”
    # Please specify an email subject
    $EmailSubject = “Active Directory Report”

  5. Is there a way to exclude the groups from the report? I have a plethora of groups and it not many have managers so it is just repeating cannot resolve the manager.

    1. yes you can filter out groups. You will want something like get-adgroup -nl “GROUP”. personally I would have it read from a flat text file and then get groups that have a name not like any in that file

Leave a Reply

Your email address will not be published. Required fields are marked *