Table of Contents
This document presents the Modern Active Directory project, which aims to bring a more modern view on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way.
With this PowerShell module that accesses your Active Directory in read-only mode, you can view and query your directory from a Web page. This directory status is generated on demand by executing a command or automatically so that you receive a daily report by e-mail.
Current Reporting and Limitations
Default console limits
By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator rights on the machine.
Below are some limitations of the default console:
- It is not possible to filter with time related attributes (Like: LogonDate, LastLogon, PasswordLastSet, etc…).
- It is not possible to use the ‘Contains’ condition in filters.
PowerShell offers the possibility to make advanced requests at the AD. However, a badly configured script or query can cause problems and errors at the AD level, which constitutes a risk.
Using “Properties *” makes the search slower and can generate alerts if an EDR is set up, especially in a large environment.
Get-ADUser -filer * -properties * | where-object "UserPrincipalName -like "*adm"
To address these limitations and issues, the PowerShell “Modern AD” module offers the ability to perform simple and advanced queries with a single click, and to see the instant result by querying the module’s internal database.
In PowerShell, it can be difficult to combine certain filters if you are not used to handling PowerShell commands. Thanks to the Modern AD interface, and without any particular knowledge of PowerShell, these requests become very simple to make.
Overview of the Report
The dashboard generated by Modern AD gives a quick overview of the entire Active Directory environment, and it displays the most useful information for administration: servers with FSMO roles, enabled accounts, unsupported machines, number of administrators, etc. This information is crucial to keep an eye on the Active Directory configuration at any given time.
A diagram shows the creation/deletion of machines/users per day.
An overview of the contents of the recycle garbage can, as well as the default OUs, etc….
Through a system of (static) widgets.
This dashboard contains specific sections for users, computers, groups, organizational units… In order to have more precise information about certain objects.
The “Users” report is very detailed and provides an in-depth look at the health of your users and their accounts.
You can view the following information:
- Total number of users of an OU
- The date of the last connection
- Passwords that expire soon
- Activated, expired accounts, etc.
Info: It is possible at any time to add your own attributes to be displayed, by modifying the parameters part in the code.
Two specific values are added to the “Days Until Password Expired” column:
- -999: means that the user has never logged in.
- -998 : means that the user will have to change without CDM at the next connection.
The “Computers” report provides a similar overview to the Users report, with more specific information such as the date the password was created and last changed, the IP address, and the system Build number for Windows 10 and Windows 11.
The charts show the distribution of machines in the fleet by OS, as well as the number of Windows 10/11 that are at the end of support. This is valuable to follow the evolution of patches to update Windows builds.
Info: End Of Support of Windows 10/11 only takes into account the official dates of Microsoft for the Pro edition, but it is possible to modify these dates if you use the Enterprise edition (or another edition).
Note: Build versions containing H are replaced by a 0, this will facilitate numerical sorting.
Example: 21h2 becomes 2102 and 22h2 becomes 2202.
The “Groups” tab displays all non-empty groups, while empty groups are listed in the “Empty Groups” category of the dashboard.
You can list all groups in which a user is a member, as well as list all members of a group or several groups starting or ending with a specific value.
Members of sensitive groups will not be posted.
The “OU” report lists the basic organizational units as well as the GPOs that are directly linked.
It is possible to display all ORs by adding the “-OULevelSearch Subtree” parameter.
The Resume tab displays a summary of the number of all elements in the park.
It is possible to search on all tabs.
Members of privileged groups are not displayed, similarly in the user tab, administrators are not listed by default.
Below are the categories of the different reports generated:
Groups, Users, Computers, Print Servers, GPOs and OUs.
It is possible to add authentication by hosting the report on an IIS Web server (JIT principle)
Important note: the report is read only, no risk of modification on the directory.
The information presented complies with the JEA (Just Enough Administration) principle.
You can control which information is displayed for all objects.
Reminder: Sensitive information such as privileged members and DCs are not displayed by default.
The filters allow you to make quick and interactive searches, the result is immediate.
It is possible to export the result in several formats (PDF, Excel, CSV …).
It is very easy to create custom filters by clicking on the ‘Search Builder’ button.
You can list the members of a specific OU by indicating its name with the “Contains” condition, or by selecting only its name in the displayed list with the “Equals” condition
Important: It is recommended to use the “Equals” condition only for boolean values, e.g. a parameter with the expected result “True” or “False”.
To delete a condition, simply press the corresponding “X” button.
You can easily build complex queries with logical “And” “OR” functions, with the possibility to use X times the same parameter under different conditions, thanks to the power of PSWriteHTML Module.
Download and Installation
To function Modern AD needs the following PowerShell modules:
- The PSWriteHTML module: it will be downloaded automatically, if you have access to the internet.
- The AD and GPO Powershell Module: will have to be installed from RSAT if you are not on an AD. An error message will be displayed if the AD module is not present, showing the command needed to install it.
The admin right is not indispensable.
Installation and first execution
The module is available via the Powershell Gallery and on Github: Link.
The following command allows to download and install the module for all users. To be executed in a console in admin mode.
The following command installs only on the connected profile without requiring administrative rights.
Install-module ModernActiveDirectory -Scope CurrentUser
Once installed, run the following command to generate your report.
In case of error you will be notified.
Note: displaying the contents of the AD Trash and PSO password policies requires rights to these containers (e.g. running the script with a domain admin or assigning the necessary rights to the user).
When finished, an HTML file will be created, and the web page will be launched automatically in your default browser.
Note: By default the report is generated in the Temp folder of the user “Appdata\Local\Temp”, you can change the path at any time.
If your machine does not have internet access, download the Zip from Github and unzip it in your “Modules” folder which is located in the “Programs Files” or “Documents” path.
By default, the number of searches is limited to 200 objects per category for testing purposes.
To perform an unlimited search for objects, use the following command:
The command below allows you to generate a single report in HTML format in the folder of your choice.
Get-ADModernReport -illimitedsearch -SavePath "C: \Myfolder" -htmloneline
Below is a list of parameters you can use with the Get-ADModernReport function
- CompanyLogo: Logo that will be in the upper left corner of the report
- RightLogo: Logo that will be in the upper right corner of the report
- ReportTitle : the title of the report
- SavePath : where the report will be saved (Example : C:\report )
- Days: Set the days for “Search for users who have not logged in for X days”.
- UserCreatedDays : Set the days for “Get users who were created in X days or less”.
- DayUntilPWExpireINT: Sets the days for “Get users whose passwords expire in less than X days”
- Maxsearcher: Maximum number of Computer/User objects to search.
- OUlevelSearch : OU search level (Base/Onelevel/Subtree)
- IllimitedSearch : Search in all objects without limit of number
- Showadmin : Display the administrators in the result
- HtmlOnePage: generates a report in a single page, (recommended for small companies)
For more details, please consult the Help.
Get-Help Get-ADModernReport -Detailed
Use in a scheduled task or a script
One of the advantages of this module is that it can be executed several times a day in a scheduled task, automatically overwriting old values if necessary. Then, it will be interesting to host the web page on an IIS server to connect to several, remotely.
Create a PS1 file and put the following code, point the output to the IIS folder if different from the default.
Import-Module ModernActiveDirectory -Force Get-ADModerReport -IllimitedSearch -SavePath C:\inetpub\wwwroot
We would like to thank all the people who have contributed directly or indirectly to the realization of this project.
The Essential Blogs :
And all members :
- Florian, Mehdi, – Guylain, mathieu, hatira, …