Can I get a report created to show which users are not PIV enforced?

Mgmt has asked me to produce a report that shows which User accounts are not PIV enforced.  I do not see anything related in the library.  Can you please help me create one?

I am using version 3.2.1905

  • Hi Michael,

    You can modify a current report such as Domain Users or create a new one and have the data sent to a CSV. As you know Personal Identity Verification (PIV) has an Active Directory attribute called SmartcardLogonRequired which the Active Directory discovery collects. You can make a quick CSV report by selecting My Reports in Report Manager, right click and select Create Report which will open a new report definition. Enter a report name such as Smart Card or PIV report. Select Fields in in Report Type select Active Directory then Users. This will populate the available fields for you. In Available Fields scroll down to Domain User and then in Domain User search for Smart Card Required. Click on the field and click on the Add button in the center. This will put the Smart Card Required field in the Selected Fields side. You add and remove any fields you would like for this report. Next select Parameters and add any parameters you would like. I would suggest adding Domain Name and Smart Card Required. With the Smart Card Required you can select a yes or no. You could also leave the Smart Card Required out and get all values and sort in the CSV. If you save the report now it will create it as a CSV because you saved it without a layout. This is fine and save it as is. If you now click on your report the parameters will be displayed, Enter the Domain and select the Yes or No and then select Export to CSV. You have your report.

  • Clarence, I have a request to this report you helped me create.  Most of the info come from Domain User, however I would like to exclude user accounts that belong to a certain Security Group which I know is in another table.  How can this be done?

  • Hi Michael, You can create a report with basically the same steps as before but instead of selecting Active Directory then Users select Active Directory then Accounts. If you scroll down in the Available Fields you will see Domain Account and it will be blue and underlined. This means that this field(s) can be extended. If you right click on the field you will see two objects you can add to the report type. One is Domain User and the other is Domain Group. You will need to select both to add the necessary fields which are Smart Card Required (under User) and Common Name (under Group). Then add them to the Selected Fields. Add any other fields you wish to use such as Account Name. Next go to Parameters and add the Smart Card Required as before and this time add the Group and in the Parameter Properties select Excludes in the condition operator field. Click OK. Make sure you have a name for the report and then select OK to save it. Now when you click on the report you will see you have at least two parameters. One is the Smart Card Required (Yes, No, Include All results) and the second for group. (You may have other such as domain, etc., but we want to keep this simple.) In the Groups just click on the magnifying glass then either enter the groups to exclude or do a search on all the groups. Select the groups you want excluded and run the report being sure to save it as a CSV.

  • I was able to do all of this and get results, but when I add to include or exclude the security group my results went to 0.  In order to get results I either have to delete the Common Name (Domain Group) or delete the value I selected from using the hour glass search.

  • Hi Michael. You are correct. I thought I could get you what was need with a quick change which is not correct. I will need to consult with development on this problem and suspect that a SQL query will need to be created. Sorry for not providing a solution for your issue.

  • Hi Michael. I got the issue sorted out and we don't need a complicated SQL query. Create a new report and add a name and any other info you want.  Select Fields in Report Type select Active Directory and select Group Members. Scroll down and find Nested Users and find Smart Card Required and then click Add to move it to the Selected Fields. Select Parameters and then click on Add. In Create Parameter and in the Field add the prompt Groups to Exclude and in the Select the field drop down select Account Name (Group) and in the Parameters Properties select Excludes and click on OK. Click on Add again and this time in the prompt enter PIV Required or Smart Card Required and then select Smart Card Required (Nested User) in the select field to associate with this parameter. Leave the Parameter Properties as default then click OK. Since this will be exported to a CSV you can just select the OK button to save the report. You can now run the report and select the groups to exclude.