Modern Active Directory – An update to PSHTML-AD-Report
Table of Contents
This is a guest blog by Mehdi Dakhama, you can check out his blog here. He has transformed and improved upon PSHTML AD Report.
About
This document presents the Modern Active Directory project, which aims to bring a more modern view on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way.
With this PowerShell module that accesses your Active Directory in read-only mode, you can view and query your directory from a Web page. This directory status is generated on demand by executing a command or automatically so that you receive a daily report by e-mail.
Current Reporting and Limitations
Default console limits
By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator rights on the machine.
Below are some limitations of the default console:
- It is not possible to filter with time related attributes (Like: LogonDate, LastLogon, PasswordLastSet, etc…).
- It is not possible to use the ‘Contains’ condition in filters.
Powershell Scripts
PowerShell offers the possibility to make advanced requests at the AD. However, a badly configured script or query can cause problems and errors at the AD level, which constitutes a risk.
Example below
Using “Properties *” makes the search slower and can generate alerts if an EDR is set up, especially in a large environment.
Get-ADUser -filer * -properties * | where-object "UserPrincipalName -like "*adm"
ModernAD Advantage
To address these limitations and issues, the PowerShell “Modern AD” module offers the ability to perform simple and advanced queries with a single click, and to see the instant result by querying the module’s internal database.
In PowerShell, it can be difficult to combine certain filters if you are not used to handling PowerShell commands. Thanks to the Modern AD interface, and without any particular knowledge of PowerShell, these requests become very simple to make.
Overview of the Report
Dashboard
The dashboard generated by Modern AD gives a quick overview of the entire Active Directory environment, and it displays the most useful information for administration: servers with FSMO roles, enabled accounts, unsupported machines, number of administrators, etc. This information is crucial to keep an eye on the Active Directory configuration at any given time.
A diagram shows the creation/deletion of machines/users per day.
An overview of the contents of the recycle garbage can, as well as the default OUs, etc….
Through a system of (static) widgets.
This dashboard contains specific sections for users, computers, groups, organizational units… In order to have more precise information about certain objects.
Users
The “Users” report is very detailed and provides an in-depth look at the health of your users and their accounts.
You can view the following information:
- Total number of users of an OU
- The date of the last connection
- Passwords that expire soon
- Activated, expired accounts, etc.
Info: It is possible at any time to add your own attributes to be displayed, by modifying the parameters part in the code.
Two specific values are added to the “Days Until Password Expired” column:
- -999: means that the user has never logged in.
- -998 : means that the user will have to change without CDM at the next connection.
Computers
The “Computers” report provides a similar overview to the Users report, with more specific information such as the date the password was created and last changed, the IP address, and the system Build number for Windows 10 and Windows 11.
The charts show the distribution of machines in the fleet by OS, as well as the number of Windows 10/11 that are at the end of support. This is valuable to follow the evolution of patches to update Windows builds.
Info: End Of Support of Windows 10/11 only takes into account the official dates of Microsoft for the Pro edition, but it is possible to modify these dates if you use the Enterprise edition (or another edition).
Note: Build versions containing H are replaced by a 0, this will facilitate numerical sorting.
Example: 21h2 becomes 2102 and 22h2 becomes 2202.
Groups
The “Groups” tab displays all non-empty groups, while empty groups are listed in the “Empty Groups” category of the dashboard.
You can list all groups in which a user is a member, as well as list all members of a group or several groups starting or ending with a specific value.
Members of sensitive groups will not be posted.
Organization Unit
The “OU” report lists the basic organizational units as well as the GPOs that are directly linked.
It is possible to display all ORs by adding the “-OULevelSearch Subtree” parameter.
Summary
The Resume tab displays a summary of the number of all elements in the park.
Report Features
It is possible to search on all tabs.
Members of privileged groups are not displayed, similarly in the user tab, administrators are not listed by default.
Categories
Below are the categories of the different reports generated:
Groups, Users, Computers, Print Servers, GPOs and OUs.
Security
It is possible to add authentication by hosting the report on an IIS Web server (JIT principle)
Important note: the report is read only, no risk of modification on the directory.
The information presented complies with the JEA (Just Enough Administration) principle.
You can control which information is displayed for all objects.
Reminder: Sensitive information such as privileged members and DCs are not displayed by default.
Search
The filters allow you to make quick and interactive searches, the result is immediate.
It is possible to export the result in several formats (PDF, Excel, CSV …).
It is very easy to create custom filters by clicking on the ‘Search Builder’ button.
Example:
You can list the members of a specific OU by indicating its name with the “Contains” condition, or by selecting only its name in the displayed list with the “Equals” condition
Important: It is recommended to use the “Equals” condition only for boolean values, e.g. a parameter with the expected result “True” or “False”.
To delete a condition, simply press the corresponding “X” button.
You can easily build complex queries with logical “And” “OR” functions, with the possibility to use X times the same parameter under different conditions, thanks to the power of PSWriteHTML Module.
Download and Installation
Prerequisites
To function Modern AD needs the following PowerShell modules:
- The PSWriteHTML module: it will be downloaded automatically, if you have access to the internet.
- The AD and GPO Powershell Module: will have to be installed from RSAT if you are not on an AD. An error message will be displayed if the AD module is not present, showing the command needed to install it.
The admin right is not indispensable.
Installation and first execution
The module is available via the Powershell Gallery and on Github: Link.
The following command allows to download and install the module for all users. To be executed in a console in admin mode.
Install-Module modernActiveDirectory
The following command installs only on the connected profile without requiring administrative rights.
Install-module ModernActiveDirectory -Scope CurrentUser
Once installed, run the following command to generate your report.
Get-ADModernReport
In case of error you will be notified.
Note: displaying the contents of the AD Trash and PSO password policies requires rights to these containers (e.g. running the script with a domain admin or assigning the necessary rights to the user).
When finished, an HTML file will be created, and the web page will be launched automatically in your default browser.
Note: By default the report is generated in the Temp folder of the user “Appdata\Local\Temp”, you can change the path at any time.
Offline installation
If your machine does not have internet access, download the Zip from Github and unzip it in your “Modules” folder which is located in the “Programs Files” or “Documents” path.
Settings
By default, the number of searches is limited to 200 objects per category for testing purposes.
To perform an unlimited search for objects, use the following command:
Get-ADModernReport -illimitedsearch
The command below allows you to generate a single report in HTML format in the folder of your choice.
Get-ADModernReport -illimitedsearch -SavePath "C: \Myfolder" -htmloneline
Parameters
Below is a list of parameters you can use with the Get-ADModernReport function
- CompanyLogo: Logo that will be in the upper left corner of the report
- RightLogo: Logo that will be in the upper right corner of the report
- ReportTitle : the title of the report
- SavePath : where the report will be saved (Example : C:\report )
- Days: Set the days for “Search for users who have not logged in for X days”.
- UserCreatedDays : Set the days for “Get users who were created in X days or less”.
- DayUntilPWExpireINT: Sets the days for “Get users whose passwords expire in less than X days”
- Maxsearcher: Maximum number of Computer/User objects to search.
- OUlevelSearch : OU search level (Base/Onelevel/Subtree)
- IllimitedSearch : Search in all objects without limit of number
- Showadmin : Display the administrators in the result
- HtmlOnePage: generates a report in a single page, (recommended for small companies)
For more details, please consult the Help.
Get-Help Get-ADModernReport -Detailed
Use in a scheduled task or a script
One of the advantages of this module is that it can be executed several times a day in a scheduled task, automatically overwriting old values if necessary. Then, it will be interesting to host the web page on an IIS server to connect to several, remotely.
Create a PS1 file and put the following code, point the output to the IIS folder if different from the default.
Import-Module ModernActiveDirectory -Force
Get-ADModerReport -IllimitedSearch -SavePath C:\inetpub\wwwroot
Credits
We would like to thank all the people who have contributed directly or indirectly to the realization of this project.
The Essential Blogs :
And all members :
- Florian, Mehdi, – Guylain, mathieu, hatira, …
My name is Bradley Wyatt; I am a 5x Microsoft Most Valuable Professional (MVP) in Microsoft Azure and Microsoft 365. I have given talks at many different conferences, user groups, and companies throughout the United States, ranging from PowerShell to DevOps Security best practices, and I am the 2022 North American Outstanding Contribution to the Microsoft Community winner.
27 thoughts on “Modern Active Directory – An update to PSHTML-AD-Report”
This tools is powerfull and very friendly to use.
Great article
Awesome Tool and good job 👌👍
Very good update and good idea thanks a lot Brad for sharing
how could i use this i got only one file on there ADModernReport but here is mention three file for offline installtion.
HI, Md,
From Github, you can dowload the Zip from release that contains the tree necessary folder and place it on your path powershell module.
https://github.com/dakhama-mehdi/Modern_ActiveDirectory
Hi Mehdi Thanks.
When i run i am getting report and but no any chat and graph prepare in this report and also no drop down pptions under domain,Object and about tab when i move mouse pointer on these three option its gone hide.
where do i wrong could you please help me.
Hi MD Mojahid,
Thank you a lot for your reply, effectively if you use it on machine that not have internet connection the report is not correctly showed. i have fix this on the last version 1.4.1, pls download it from Github, and add -offline as parameters like this :
Get-AdmodernActivedirectory -offline
Also the report dont support IE11, use the result under Edge or chrome.
you can save the file somewhere like C:\temp and move it on the server machine with internet connection.
I use this tool to get a quick overview of the AD, Account Security, GP, and OU health of an organization.
Hi peter, than you for reply, you can run it under IIS and taskshedular one or more time by days, and get the report from any machine on domain with URL.
Hi Mehid,Thanks for your reply could you please share Github url of last version 1.4.1.
Hi, the utl is here :
https://github.com/dakhama-mehdi/Modern_ActiveDirectory
get the last version, and run it with this parametrers :
Get-ADModernreport -offline
Versuche aus Tiefster Daten erhalten- heit für Lösungen mit sich bringend an Sinn in Gegenwart stellend wie stehend zusammen Führung zu einer Verbindung mit sich bringend Sinnvoll an Nachhaltigkeit wachsenden Dingen zu in an Gegenwärtiger Zukunft …
awsome tool!
is there any plan for domain paramter? so in case of multi-domain env or AAD joined device you can pass domain name value to be scanned?
any way for the report to just output user list?
Fantastic work! Question though, how do I include the sensitive groups into the results i.e. domain admins, enterprise admins etc ? Also, is it possible to consolidate everything into a single HTML rather than having the 10 x HTML files? thanks
I’m want retrive this information too! I’ve tryed all parameters of Ou-LevelSearch and ShowAdmin. The Domain Admins group (for example) dont apear.
Yeah it would be helpful to see if a user was added/removed to a sensitive group
HI C.
no, the tool does not actually allow you to see if a user has been deleted from a sensitive group directly, this should be seen in the logs or by forensics which is the objective of a future tool. on the other hand if you generate a report every day you should be able to return to a previous version to compare, it is also interesting to put the tool in IIS and generate reports several times a day using a scheduled task.
Hello Renato,
Domain Admins will be apparaid if you use -showadmin.
can you try with this command :
([adsisearcher] “(&(objectCategory=group)(admincount=1)(iscriticalsystemobject=*))”).FindAll()
if not listing admin group, maybe you havent permissions to read it, you can post answer on github.
Regards,
Hello Mike,
Thank you for your answer, to display the administrator groups, you just need to add the
-Showadmin arguments as written in the doc, the -iilimitedsearch argument to search all objects and to have a single page just add -HtmlOnePage, finaly the command will be like these :
Get-ADModernReport -illimitedsearch -SavePath C:\MyFolder -showadmin -HtmlOnePage
Great and friendly tool. Is there a parameter for the AD controller IP Address or hostname ?
Regards
Juan
Same one. For limiting to Child or Root/Parent Domain inside a Forest…
hi
GREAT one,
and now do I specify Domain or Domain Controller please for MULTI-Domain Forest and/or IT I am not at the Forest ROOT Domain? Or how to specify CHILD domain/DC?
George
good question, how one could generate a report for the entire forest or just a specific child domain?
Great question; would love the ability to check other domains/forests
beyond that, it is nice to see that there a a lot of domain and enterprise admins, but how can I identifiy them? In groups no built-in groups or the Organization-Admins group are displayed, thus you can not see users with admin privileges.