Modern Active Directory part 1/2

Table des matières

Modern Active Directory. 1

I.       About us. 2

1)      Default console limits. 2

2)      Powershell Scripts. 3

3)      ModernAD Advantage: 3

II.      OVERVIEW OF THE REPORT. 4

1)      DASHBOARD.. 4

2)      USERS. 5

3)      Computers : 6

4)      Groups. 7

5)      Organizational Unit 7

6)      Summary. 8

III.     REPORT FEATURES. 8

1)      Category: 9

2)      Security: 9

3)      Search. 10

IV.     Download and Installation. 12

1)      Prerequisites. 12

2)      Installation and first execution. 12

3)      Offline installation. 13

V.      Settings: 14

1)      Parameters. 14

2)      Use in a scheduled task or a script 15

3)      Credits. 15

This document presents the Modern Active Directory project, which aims to bring a more modern view on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way. 

With this PowerShell module that accesses your Active Directory in read-only mode, you can view and query your directory from a Web page. This directory status is generated on demand by executing a command or automatically so that you receive a daily report by e-mail.

By default, two consoles (DSA and DSAC) are proposed to administer the DA. These consoles have not evolved for several years and they are limited in terms of functionality. Moreover, the installation of these consoles requires administrator rights on the machine.

Below are some limitations of the default console: 

- It is not possible to filter with time related attributes (Like: LogonDate, LastLogon, PasswordLastSet, etc...).

- It is not possible to use the 'Contains' condition in filters.

PowerShell offers the possibility to make advanced requests at the AD. However, a badly configured script or query can cause problems and errors at the AD level, which constitutes a risk.

Example below

Using "Properties *" makes the search slower and can generate alerts if an EDR is set up, especially in a large environment.

To address these limitations and issues, the PowerShell "Modern AD" module offers the ability to perform simple and advanced queries with a single click, and to see the instant result by querying the module's internal database.

In PowerShell, it can be difficult to combine certain filters if you are not used to handling PowerShell commands. Thanks to the Modern AD interface, and without any particular knowledge of PowerShell, these requests become very simple to make.

II. OVERVIEW OF THE REPORT

1) DASHBOARD

The dashboard generated by Modern AD gives a quick overview of the entire Active Directory environment, and it displays the most useful information for administration: servers with FSMO roles, enabled accounts, unsupported machines, number of administrators, etc. This information is crucial to keep an eye on the Active Directory configuration at any given time.

A diagram shows the creation/deletion of machines/users per day. 

An overview of the contents of the recycle garbage can, as well as the default OUs, etc.... 

Through a system of (static) widgets.

This dashboard contains specific sections for users, computers, groups, organizational units... In order to have more precise information about certain objects.

The "Users" report is very detailed and provides an in-depth look at the health of your users and their accounts. 

               You can view the following information:

Info: It is possible at any time to add your own attributes to be displayed, by modifying the parameters part in the code.

Two specific values are added to the "Days Until Password Expired" column:

The "Computers" report provides a similar overview to the Users report, with more specific information such as the date the password was created and last changed, the IP address, and the system Build number for Windows 10 and Windows 11.

The charts show the distribution of machines in the fleet by OS, as well as the number of Windows 10/11 that are at the end of support. This is valuable to follow the evolution of patches to update Windows builds.

Info: End Of Support of Windows 10/11 only takes into account the official dates of Microsoft for the Pro edition, but it is possible to modify these dates if you use the Enterprise edition (or another edition).

Note: Build versions containing H are replaced by a 0, this will facilitate numerical sorting.

Example: 21h2 becomes 2102 and 22h2 becomes 2202.

The "Groups" tab displays all non-empty groups, while empty groups are listed in the "Empty Groups" category of the dashboard.

You can list all groups in which a user is a member, as well as list all members of a group or several groups starting or ending with a specific value.

Members of sensitive groups will not be posted.

The "OU" report lists the basic organizational units as well as the GPOs that are directly linked. 

It is possible to display all ORs by adding the "-OULevelSearch Subtree" parameter.