Events Medium Image

Azure Active Directory Find Current User’s Direct Reports

It’s useful to be able to present reports whose content depends on the currently authenticated user. You might want users to see and edit details about people that they manage in Azure Active Directory. For this, you can query their direct reports. Azure Active Directory Find Current User’s Direct Reports in PowerShell When you run the following script on your server, it will fetch disabled computers for a particular Azure Active Directory tenant. With a little bit of effort, you could do this for multiple tenants and export this to a CSV, HTML file, or send it in an email. The following techniques are quite different but are also equally valid. The graph API requires an authentication token but does not require importing the Azure Active Directory PowerShell commandlets. Method Using Azure-specific CmdLets: # or can use the current GA version Import-Module AzureADPreview # need to authenticate, can provide parameters as to not be prompted Connect-AzureAD $yourid = "jack@yourdomain.com" Get-AzureADUserDirectReport -objectid $yourid Method #2 Using Graph API: ... # Assumes you have an authentication token $AuthHeader = $authenticationResult.CreateAuthorizationHeader() $yourid = "jack@yourdomain.com" $url = "https://graph.windows.net/{0}/users/$jack/directReports?api-version=1.6" $returnvals = Invoke-RestMethod -Method Get -Headers @{ Authorization = $authenticationResult.CreateAuthorizationHeader() 'Content-Type' = "application/json" } -Uri ($url -f $authenticationResult.TenantId) $returnvals.value Web Active Directory’s PeopleAudit Web Active Directory’s PeopleAudit allows you to run a report like this on demand or delegate it safely for others in your organization to run via their web browser. Users can filter and sort the results on the fly, and with a single button press print the results or export to your clipboard, PDF, Excel, or CSV. Safely and securely specify the oAuth connection used to perform these reporting tasks.  Customize the report results and filters without scripting or coding. Most reports we offer allow the ability to schedule them to run with some frequency and deliver to who you want via email.  This one is not one of those because it requires the context of a currently logged in user.  It can be customized (without scripting) to take a user as an input parameter:  at that point it could be scheduled.

Find Users who Have Never Logged into Active Directory

Sometimes in the course of IT business users get created in your directory that never get used and are forgotten. Objects in your directory that aren’t receiving attention can be security risks especially if these accounts have elevated privileges.  One way to find user objects that have been created but were never used is to query your directory to find users who have never logged in. Find Users Who Have Never Logged into Active Directory Using PowerShell When you run the following script on your server, it will fetch users who have never logged in on a particular domain. With a little bit of effort, you could do this for multiple domains and/or export the results to a CSV, HTML file, or send it in an email. One important part of this method is to query using the “iscriticalsystemobject” attribute in Active Directory. Active Directory has critical user objects that exist but are never meant to login. It’s preferable to leave these results out of your query. As the name of the attribute suggests, these are critical and generally shouldn’t be edited. Method #1 import-module activedirectory Get-ADUser -LDAPFilter "(&(&(objectCategory=person)(objectClass=user)(!isCriticalSystemObject=TRUE))(|(lastLogon=0)(!(lastLogon=*))))" Method #2: import-module activedirectory get-aduser -Filter {-not (lastlogontimestamp -like "*") -and -not (iscriticalsystemobject -eq $true)} You might also want to use a service account (“-Credentials” on your PowerShell commands) to keep things more secure. There are several other methods that don’t require RSAT (and the “activedirectory” module) but these are the most convenient techniques to start. Web Active Directory’s PeopleAudit Web Active Directory’s PeopleAudit allows you to run a report like this on demand or delegate it safely for others in your organization to run via their web browser. Users can filter and sort the results on the fly, and with a single button press print the results or export to your clipboard, PDF, Excel, or CSV. Safely and securely specify the service account to use to perform the reporting tasks.  Customize the report results and filters without scripting or coding. You can also schedule these reports to be delivered to you or others in your organization via emails that you can configure.

Active Directory Clean Up Inactive Groups

Removing or archiving inactive groups in Active Directory is essential.   Cleaning up inactive groups in Active Directory keeps your directory clean and organized and also can keep you safe.  It’s possible these orphaned groups can themselves be members of more critical groups.  It’s important that you don’t remove every group in Active Directory that doesn’t have a member.  Some groups without members are critical system groups.  You don’t want that in your reports or your clean-up script.  Keeping an orderly directory is part of creating a secure environment.  An Active Directory Clean Up Inactive Groups script is possible to write in PowerShell but has never been easier with Web Active Directory’s PeopleAudit. Active Directory Clean Up Inactive Groups in PowerShell When you run the following script on the server, it will only fetch inactive users. You can uncomment the line “Remove-AdGroup” to remove them. You could also move them to a special place you’ve reserved to archive them. import-module activedirectory Get-Adgroup -Filter * -Properties members, isCriticalSystemObject | where-object { ($_.members.count -eq 0 -AND !($_.IsCriticalSystemObject) -AND $_.DistinguishedName -notMatch 'Exchange Security' -AND ` $_.DistinguishedName -notMatch 'Dns') } | ForEach-Object { # Remove-ADGroup -Credential $BindUserCredentials -confirm:$false -identity $_.distinguishedname Get-ADGroup -identity $_.distinguishedname } You’ll want to use something like Microsoft’s task scheduler to run this script unattended. You would also want to use a service account and use “-Credentials” on your PowerShell commands to keep things more secure.  It’s a good idea also to send notification emails when users have been archived or removed to create a log and history if running unattended. Web Active Directory’s PeopleAudit Web Active Directory’s PeopleAudit allows you to do run and/or schedule these jobs without writing PowerShell. Safely and securely specify the service account to use to perform tasks. Configure notifications and logging to keep you aware of what’s going on. Easily specify and configure what constitutes an inactive group. Customize and delegate out-of-the-box working web-based reports that can also be run and emailed automatically to user’s you choose.  

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×