cancel
Showing results for 
Search instead for 
Did you mean: 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

Report on suspended users

jworkman
JumpCloud Employee
JumpCloud Employee

Hey all,

This question came up this week and I wanted to share with everyone in case someone else finds it useful. Outside of using the Directory Insights UI one can use the PowerShell module to get a report of users who've been suspended and export a CSV of the results. 

The user object itself does not record the date in which a user was suspended, this being the case the directory insights table must be accessed to get the recorded timestamp in which a user was suspended.

In the following script, I have a simple filter to get all users who are currently suspended in my org. Then a loop iterates through each user getting the directory insights logs for just that user and the events that match the term "user_suspended". 

This script will query the last 90 days of events, if no event was found in that time period, the user was suspended on a date older than 90 days from the day the script was run. In that case the found suspended user's timestamp will result in a "NA" on the report.

If I wanted to query all users (not just my suspended users I could change line 1 in the script to get all users without further specifying only suspended users) ex.

 

$users = Get-JCUser -returnProperties suspended, username

 

This script will produce a "SuspendedUserReport.csv" file in the current working directory where the script is run. 

Sample Script:

 

$users = Get-JCUser -returnProperties suspended, username | Where-Object { $_.suspended -eq $true }

$list = @()
foreach ($user in $users) {
    "searching for events on user: $($user._id)"
    try {
        $eventdata = Get-JcSdkEvent -service directory -StartTime (Get-Date).AddDays(-90) -SearchTermAnd @{"resource.id" = "$($user._id)"; event_type = "user_suspended" }
        foreach ($foundevent in $eventdata) {
            <# $event is the current item #>
            $list += [pscustomobject]@{
                DateSuspended = $foundevent.timestamp
                userID        = $user._id
                username      = $foundevent.resource.username
                client_ip     = $foundevent.client_ip
                geoip         = $foundevent.geoip
                auth_method   = $foundevent.auth_method
            }
        }
    } catch {
        $list += [pscustomobject]@{
            DateSuspended = "NA"
            userID        = $user._id
            username      = $user.username
            client_ip     = "NA"
            geoip         = "NA"
            auth_method   = "NA"
        }
    }
}
$list | ConvertTo-Csv | Out-File ./SuspendedUserReport.csv

 

Feel free to modify or change the script to fit your needs!

0 REPLIES 0
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.