I. What is modern Active Directory
Modern Active Directory project is owershell module to get a new experience given an overview of Active Directory environment from a beautiful interactive HTML report.
Modern Active directory add a new AD look for safe search.
What can i do with :
View key indicators
Inventory of Active Directory
Browse safely Active directory essential objects
Advanced searches in a simple way
Support all Active directory languages
Faster report building
No sensitive informations is exposed
Take control over the information displayed
Work in corporate of any size
Get daily report or dynamic from URL
1. Default console limits
By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator rights on the machine.
Below are some limitations of the default console:
- It is not possible to filter with time related attributes (Like: LogonDate, LastLogon, PasswordLastSet, etc...).
- It is not possible to use the 'Contains' condition in filters.
1. Powershell Scripts
PowerShell offers the possibility to make advanced requests at the AD. However, a badly configured script or query can cause problems and errors at the AD level, which constitutes a risk.
Example below :
Using "Properties *" makes the search slower and can generate alerts if an EDR is set up, especially in a large environment.
Get-ADUser -filer * -properties * | where-object "UserPrincipalName -like "*adm"
2. ModernAD Advantage:
To address these limitations and issues, the PowerShell "Modern AD" module offers the ability to perform simple and advanced queries with a single click, and to see the instant result by querying the module's internal database.
In PowerShell, it can be difficult to combine certain filters if you are not used to handling PowerShell commands. Thanks to the Modern AD interface, and without any particular knowledge of PowerShell, these requests become very simple to make.
II. OVERVIEW OF THE REPORT
1. DASHBOARD
The dashboard generated by Modern AD gives a quick overview of the entire Active Directory environment, and it displays the most useful information for administration: servers with FSMO roles, enabled accounts, unsupported machines, number of administrators, etc. This information is crucial to keep an eye on the Active Directory configuration at any given time.
A diagram shows the creation/deletion of machines/users per day.
An overview of the contents of the recycle garbage can, as well as the default OUs, etc....
Through a system of (static) widgets.
This dashboard contains specific sections for users, computers, groups, organizational units... In order to have more precise information about certain objects.
2. USERS
The "Users" report is very detailed and provides an in-depth look at the health of your users and their accounts.
You can view the following information:
● Total number of users of an OU
● The date of the last connection
● Passwords that expire soon
● Activated, expired accounts ....
Info: It is possible at any time to add your own attributes to be displayed, by modifying the parameters part in the code.
Two specific values are added to the "Days Until Password Expired" column:
● -999: means that the user has never logged in.
● -998 : means that the user will have to change without CDM at the next connection.
3. Computers
The "Computers" report provides a similar overview to the Users report, with more specific information such as the date the password was created and last changed, the IP address, and the system Build number for Windows 10 and Windows 11.
The charts show the distribution of machines in the fleet by OS, as well as the number of Windows 10/11 that are at the end of support. This is valuable to follow the evolution of patches to update Windows builds.
Info: End Of Support of Windows 10/11 only takes into account the official dates of Microsoft for the Pro edition, but it is possible to modify these dates if you use the Enterprise edition (or another edition).
Note: Build versions containing H are replaced by a 0, this will facilitate numerical sorting.
Example: 21h2 becomes 2102 and 22h2 becomes 2202.
4. Groups
The "Groups" tab displays all non-empty groups, while empty groups are listed in the "Empty Groups" category of the dashboard.
You can list all groups in which a user is a member, as well as list all members of a group or several groups starting or ending with a specific value.
Members of sensitive groups will not be posted.
5. Organization Unit
The "OU" report lists the basic organizational units as well as the GPOs that are directly linked.
It is possible to display all ORs by adding the "-OULevelSearch Subtree" parameter.
6. Summary
The Resume tab displays a summary of the number of all elements in the park.
III. REPORT FEATURES
It is possible to search on all tabs.
Members of privileged groups are not displayed, similarly in the user tab, administrators are not listed by default.
1. Category:
Below are the categories of the different reports generated:
Groups, Users, Computers, Print Servers, GPOs and OUs.
2. Security
It is possible to add authentication by hosting the report on an IIS Web server (JIT principle)
Important note: the report is read only, no risk of modification on the directory.
The information presented complies with the JEA (Just Enough Administration) principle.
You can control which information is displayed for all objects.
Reminder: sensitive information such as privileged members and DCs are not displayed by default.
3. Search
The filters allow you to make quick and interactive searches, the result is immediate.
It is possible to export the result in several formats (PDF, Excel, CSV ...).
It is very easy to create custom filters by clicking on the 'Search Builder' button.
Example:
You can list the members of a specific OU by indicating its name with the "Contains" condition, or by selecting only its name in the displayed list with the "Equals" condition.
Important: It is recommended to use the "Equals" condition only for boolean values, e.g. a parameter with the expected result "True" or "False".
To delete a condition, simply press the corresponding "X" button.
You can easily build complex queries with logical "And" "OR" functions, with the possibility to use X times the same parameter under different conditions, thanks to the power of PSWriteHTML Module.
IV. Download and Installation
1. Prerequisites
To function Modern AD needs the following PowerShell modules:
● The PSWriteHTML module: it will be downloaded automatically, if you have access to the internet.
● The AD and GPO Powershell Module: will have to be installed from RSAT if you are not on an AD. An error message will be displayed if the AD module is not present, showing the command needed to install it.
The admin right is not indispensable.
2. Installation and first execution
The module is available via the Powershell Gallery and on Github: Link.
The following command allows to download and install the module for all users. To be executed in a console in admin mode.
Install-Module modernActiveDirectory
The following command installs only on the connected profile without requiring administrative rights.
Install-module ModernActiveDirectory -Scope CurrentUser
Once installed, run the following command to generate your report.
Get-ADModernReport
In case of error you will be notified.
Note: displaying the contents of the AD Trash and PSO password policies requires rights to these containers (e.g. running the script with a domain admin or assigning the necessary rights to the user).
When finished, an HTML file will be created, and the web page will be launched automatically in your default browser.
Note: By default the report is generated in the Temp folder of the user "Appdata\Local\Temp", you can change the path at any time.
2. Offline installation
If your machine does not have internet access, download the Zip from Github and unzip it in your "Modules" folder which is located in the "Programs Files" or "Documents" path.
V. Settings:
By default, the number of searches is limited to 200 objects per category for testing purposes.
To perform an unlimited search for objects, use the following command:
Get-ADModernReport -illimitedsearch
The command below allows you to generate a single report in HTML format in the folder of your choice.
Get-ADModernReport -illimitedsearch -SavePath "C: \Myfolder" -HtmlOnePage
3. Parameters
Below is a list of parameters you can use with the Get-ADModernReport function
● CompanyLogo: Logo that will be in the upper left corner of the report
● RightLogo: Logo that will be in the upper right corner of the report
● ReportTitle : The title of the report
● HtmlOnePage : Generates a report in one page, (recommended for small companies)
● SavePath : Where the report will be saved (Example : C:\report )
● Days : Set the days for "Search for users who have not logged in for X days".
● UserCreatedDays : Set the days for "Get users who were created in X days or less".
● DayUntilPWExpireINT: Sets the days for "Get users whose passwords expire in less than X days"
● Maxsearcher: Maximum number of Computer/User objects to search.
● OUlevelSearch : OU search level (Base/Onelevel/Subtree)
● IllimitedSearch : Search in all objects without limit of number
● Showadmin : Display the administrators in the result
For more details, please consult the Help.
Get-Help Get-ADModernReport -Detailed
4. Credits
We would like to thank all the people who have contributed directly or indirectly to the realization of this project.
The Essential Blogs :
And all members :
Matthiew SOUIN, Mahmoud HATIRA, Zouhayer SARROUTI.
Great, article