Active Directory C&A

Updated on 12 Aug 2024
2 Minutes to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

User Count

Using Clarity and Powershell, run the following command to generate the count of active users in your Active Directory tenant and compare this number to the value shown in Clarity.
To navigate to this view in Clarity, head to Applications > Select the application > Users Tab > Filter to Active users only.

(Get-ADUser -Filter {enabled -eq "True"}).count

Active User Count - Users Tab

Entitlement Count

Using Clarity and Powershell, run the following command to generate the count of Entitlements in your Active Directory tenant and compare this number to the value shown in Clarity.
To navigate to this view in Clarity, head to Applications > Select the application > Entitlements Tab > Filter to Active users only.

Note

This count will be off by 1, as Clarity creates an Entitlement called the Base entitlement for every application (this entitlement only exists in Clarity). In the example below, you see 8551 returned by powershell, and 8552 visible in the Clarity UI.

(Get-ADObject -Filter {(objectclass -eq "organizationalUnit") -or (objectclass -eq "group") -or (objectclass -eq "container")}).count

Entitlement Count - Entitlements Tab

Users

Pick a user in your Active Directory tenant, and compare the Entitlements for that user across both Clarity and ADUC.
To navigate to this view in Clarity, head to Identities > Find the Identity you wish to review> Entitlements Tab > Filter to the application you wish to review.

User Entitlements.png

Entitlements

Pick a group in your Active Directory tenant, and view this item in both ADUC and the Clarity interface. Compare the users present for the group in the Clarity interface with the “Member” tab of the chosen group.

New Entitlements.png

Perform this checking and screenshot process for:

Domain Admins
Administrators
Schema Admins
Enterprise Admins
6 other groups of your choosing

Group Traversal

In order for Clarity to show nested relationships between groups, there are 2 tabs dedicated to this information. One shows the access an entitlement provides by being a member of other groups, the other shows other entitlements that grant access to the currently viewed entitlement.

Grants Access To

The “Grants Access To” tab (when viewing a particular entitlement in Clarity), corresponds to the “Member Of” tab in ADUC. Effectively, if you are a member of this entitlement (Domain Admins below), you will also be a member of these entitlements (Administrators and Denied RODC Password Replication Group).

Grant Access To.png

Access Granted By

The “Access Granted By” tab (when viewing a particular entitlement in Clarity), corresponds to the “Members” tab in ADUC. In the example below, Clarity is showing that if you were a member of Admin Test Group, then you will inherit the access of Domains Admins.

Note

This only corresponds to groups, because Users directly assigned here would not impact the access of another user.

Access Granted By.png

Need Help?

Was this article helpful?

What's Next

Identity Attributes

Table of contents

User Count
Entitlement Count
Users
Entitlements
Group Traversal
Need Help?