This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Report on suspended users

jworkman
JumpCloud Employee
JumpCloud Employee

‎11-11-2022 10:38 AM

Hey all,

This question came up this week and I wanted to share with everyone in case someone else finds it useful. Outside of using the Directory Insights UI one can use the PowerShell module to get a report of users who've been suspended and export a CSV of the results. 

The user object itself does not record the date in which a user was suspended, this being the case the directory insights table must be accessed to get the recorded timestamp in which a user was suspended.

In the following script, I have a simple filter to get all users who are currently suspended in my org. Then a loop iterates through each user getting the directory insights logs for just that user and the events that match the term "user_suspended". 

This script will query the last 90 days of events, if no event was found in that time period, the user was suspended on a date older than 90 days from the day the script was run. In that case the found suspended user's timestamp will result in a "NA" on the report.

If I wanted to query all users (not just my suspended users I could change line 1 in the script to get all users without further specifying only suspended users) ex.

 

$users = Get-JCUser -returnProperties suspended, username

 

This script will produce a "SuspendedUserReport.csv" file in the current working directory where the script is run. 

Sample Script:

 

$users = Get-JCUser -returnProperties suspended, username | Where-Object { $_.suspended -eq $true }

$list = @()
foreach ($user in $users) {
    "searching for events on user: $($user._id)"
    try {
        $eventdata = Get-JcSdkEvent -service directory -StartTime (Get-Date).AddDays(-90) -SearchTermAnd @{"resource.id" = "$($user._id)"; event_type = "user_suspended" }
        foreach ($foundevent in $eventdata) {
            <# $event is the current item #>
            $list += [pscustomobject]@{
                DateSuspended = $foundevent.timestamp
                userID        = $user._id
                username      = $foundevent.resource.username
                client_ip     = $foundevent.client_ip
                geoip         = $foundevent.geoip
                auth_method   = $foundevent.auth_method
            }
        }
    } catch {
        $list += [pscustomobject]@{
            DateSuspended = "NA"
            userID        = $user._id
            username      = $user.username
            client_ip     = "NA"
            geoip         = "NA"
            auth_method   = "NA"
        }
    }
}
$list | ConvertTo-Csv | Out-File ./SuspendedUserReport.csv

 

Feel free to modify or change the script to fit your needs!

Labels:
0 REPLIES 0
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.