Active Directory C&A
  • 12 Aug 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Active Directory C&A

  • Dark
    Light
  • PDF

Article summary


User Count

Using Clarity and Powershell, run the following command to generate the count of active users in your Active Directory tenant and compare this number to the value shown in Clarity.
To navigate to this view in Clarity, head to Applications > Select the application > Users Tab > Filter to Active users only.

(Get-ADUser -Filter {enabled -eq "True"}).count

Active User Count - Users Tab

Entitlement Count

Using Clarity and Powershell, run the following command to generate the count of Entitlements in your Active Directory tenant and compare this number to the value shown in Clarity.
To navigate to this view in Clarity, head to Applications > Select the application > Entitlements Tab > Filter to Active users only.

Note

This count will be off by 1, as Clarity creates an Entitlement called the Base entitlement for every application (this entitlement only exists in Clarity). In the example below, you see 8551 returned by powershell, and 8552 visible in the Clarity UI.

(Get-ADObject -Filter {(objectclass -eq "organizationalUnit") -or (objectclass -eq "group") -or (objectclass -eq "container")}).count

Entitlement Count - Entitlements Tab

Users

Pick a user in your Active Directory tenant, and compare the Entitlements for that user across both Clarity and ADUC.
To navigate to this view in Clarity, head to Identities > Find the Identity you wish to review> Entitlements Tab > Filter to the application you wish to review.

User Entitlements.png

Entitlements

Pick a group in your Active Directory tenant, and view this item in both ADUC and the Clarity interface. Compare the users present for the group in the Clarity interface with the “Member” tab of the chosen group.

New Entitlements.png

Perform this checking and screenshot process for:

  • Domain Admins
  • Administrators
  • Schema Admins
  • Enterprise Admins
  • 6 other groups of your choosing

Group Traversal

In order for Clarity to show nested relationships between groups, there are 2 tabs dedicated to this information. One shows the access an entitlement provides by being a member of other groups, the other shows other entitlements that grant access to the currently viewed entitlement.

Grants Access To

The “Grants Access To” tab (when viewing a particular entitlement in Clarity), corresponds to the “Member Of” tab in ADUC. Effectively, if you are a member of this entitlement (Domain Admins below), you will also be a member of these entitlements (Administrators and Denied RODC Password Replication Group).

Grant Access To.png

Access Granted By

The “Access Granted By” tab (when viewing a particular entitlement in Clarity), corresponds to the “Members” tab in ADUC. In the example below, Clarity is showing that if you were a member of Admin Test Group, then you will inherit the access of Domains Admins.

Note

This only corresponds to groups, because Users directly assigned here would not impact the access of another user.

Access Granted By.png


Need Help?

{{snippet.ClarityContactInfo}}


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.