Direct reports to new user on deletion of old user

Question

If a user is disabled, I would like the following process to be automated:

1. Direct reports of this disabled user (user A) are reassigned to new active user (user B) who would have the same job title as User A
2. with conditions, that 'same job title' is unique to User B & that User B is active
3. If 'same job title' is not unique then the direct reports of User A will be assigned to User A's manager
4. Mail is sent to User A manager indicating direct reports have been transferred to User B or to User A's manager
5. Mail is sent to User B indicating User As direct reports have been transferred to User B

Comments

Hello,

For us to help you with a solution, pelase, specify the following:

• How exactly should User B be determined?
• What exactly do you mean by same job title is unique? Should the two users just have the same job title?

Any additional details will be much appreciated.

---

Hi,

• User B will be identified by having the same job title as the now deactivated user A
• yes, an example would be the 'manager of operations' leaves & a new person starts with the same job title. I'd like all direct reports to be moved to the new 'manager of operations'

---

Hello,

Thank you for clarifying. What should be done in case if there is no account found with the same Job Title or more than one found?

---

Hi,

• If 'same job title' is not unique or more than one job title is found then the direct reports of User A will be assigned to User A's manager

Regards

---

Hello,

What should happen in case if the user being disabled does not have a manager specified?

---

Hi, if there's no manager, then an email is sent to IT-helpdesk. Cheers Ben

---

Hello Ben,

Thank you for specifying. Let us summarize the workflow. When a user is disabled and they have direct reports, the following will be automatically done by Adaxes:

• There will be a search performed for another enabled account with the same Job Title.
• If none or more than one account is found, all direct reports of the user will be transferred to their manager. Both the user and the manager will receive corresponding emails. If there is no manager specified for the user an email will be sent to the predefined address and nothing will be done for direct reports.
• If a single enabled account with the same job title is found, all the direct reports of the user will be transferred to the account. After that an email will be sent to the user being disabled and the one gaining direct reports.
• In case when any of the recipients (e. g. new manager) does not have an email address, the corresponding notification will be sent to IT-helpdesk.

Is that correct?

---

thanks I updated the last paragraph of your summary:

When a user is disabled and they have direct reports, the following will be automatically done by Adaxes:

• There will be a search performed for another enabled account with the same Job Title.
• If none or more than one account is found, all direct reports of the user will be transferred to their manager.
• If there is no manager specified for the user an email will be sent to the predefined address and nothing will be done for direct reports.
• If a single enabled account with the same job title is found, all the direct reports of the user will be transferred to the account.
• After that an email will be sent to the users manager being disabled and the one gaining direct reports.

---

Hello Ben,

Thank you for the update. This can be done using a script in a business rule triggering After disabling a user. For us to write the script, please, provide samples for all the three email notifications (sent to the manager being disabled, manager gaining subordinates and IT-helpdesk). If values of specific properties need to be present in the emails, please, point that out explicitly. You can post the samples here or send them to support@adaxes.com.

Answer 1

Hello Ben,

Thank you for the provided details. Below is the script to perform the direct reports transfer. It should be executed in a business rule triggering After disabling a user on the condition that the user has direct reports. In the script:

• $helpDeskEmail – Specifies the helpdesk email address.
• $noEmailSubjectTemplate – Specifies a template for the subject of the email notification that will be sent to helpdesk in case any of the required recipients has no email address specified. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
• $noEmailNotificationTemplate – Specifies a template for the email notification that will be sent to helpdesk in case any of the required recipients has no email address specified. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
• $userManagerSubject – Specifies the subject of the email notification that will be sent to the leavers manager if they gain direct reports.
• $userManagerEmailNotification – Specifies the email notification that will be sent to the leavers manager if they gain direct reports.
• $noManagerSubject – Specifies the subject of the email notification that will be sent to helpdesk in case the leavers manager should gain direct reports, but there is no manager specified.
• $norManagerEmailNotification – Specifies the email notification that will be sent to helpdesk in case the leavers manager should gain direct reports, but there is no manager specified.
• $successSubjectTemplate – Specifies a template for the subject of the email notification that will be sent to the leaver and the manager with unique Job Title when the latter gains direct reports. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
• $successEmailTemplate – Specifies a template for the email notification that will be sent to the leaver and the manager with unique Job Title when the latter gains direct reports. In the template, the {0} and {1} placeholders will be replaced with the username of the account gaining direct reports from the leaver.

$helpDeskEmail = "recipient@domain.com" # TODO: modify me

# Recipient has not email address settings
$noEmailSubjectTemplate = "No email address specified for %username% or {0}" # TODO: modify me
$noEmailNotificationTemplate = @"
Dear helpdesk

%username% or {0} does not have a valid email associated to one or both of these accounts. Could you please investigate.
"@ # TODO: modify me

# Target user manager mail settings
$userManagerSubject = "%username% Direct reports have been transferred to you"  # TODO: modify me
$userManagerEmailNotification = @"
Dear %adm-ManagerUserName%,

The direct reports of %username% have been transferred to you and should be manually re-assigned in IAM to %username%’s replacement. 

Regards
IT
"@ # TODO: modify me

# Target user has no manager
$noManagerSubject = "No manager specified for %username%" # TODO: modify me
$norManagerEmailNotification = @"
Dear Helpdesk,

The user: %username% has recently been deactivated, however there is no recorded manager in AD for this user therefore the direct reports of %username% cannot be automatically transferred to the replacement of %username%. Please can you identify the manager of %username% and update the information.

Regards
"@ # TODO: modify me

# New manager with same title settings
$successSubjectTemplate = "Direct reports have successfully been transferred to {0} account" # TODO: modify me
$successEmailTemplate = @"
Dear %adm-ManagerUserName% and {0}

The direct reports of %username% have successfully been automatically transferred to {1} Please confirm that the list of direct reports is correct and that no further action needs to be performed.
"@  # TODO: modify me

function UpdateManager($newManagerDN)
{
    $redirectReportDNs = $Context.TargetObject.GetEx("directReports")

    foreach ($redirectReportDN in $redirectReportDNs)
    {
        $directReport = $Context.BindToObjectByDN($redirectReportDN)
        $directReport.Put("manager", $newManagerDN)
        $directReport.SetInfo()
    }
}

# Search parameters
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", "%distinguishedName%")
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(title=%title%)(!$filterPart))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SizeLimit = 2
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()    
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

if ($searchResults.Length -eq 1)
{
    $newManager = $Context.BindToObjectBySearchResult($searchResults[0])
    $newManagerDN = $newManager.Get("distinguishedName")
    UpdateManager $newManagerDN

    # Get new manager email
    try
    {
        $managerEmail = $newManager.Get("mail")
    }
    catch
    {
        $managerEmail = $NULL
    }

    # Send mail
    $managerUsername = $newManager.Get("sAMAccountName")
    if ((-not([System.String]::IsNullOrEmpty($managerEmail))) -and (-not([System.String]::IsNullOrEmpty("%mail%"))))
    {        
        $subject = [System.String]::Format($successSubjectTemplate, @($managerUsername))
        $message = [System.String]::Format($successEmailTemplate, @($managerUsername, $managerUsername))
        $Context.SendMail("$managerEmail, %mail%", $subject, $message, $NULL)
    }
    else
    {
        $subject = [System.String]::Format($noEmailSubjectTemplate, @($managerUsername))
        $message = [System.String]::Format($noEmailNotificationTemplate, @($managerUsername))
        $Context.SendMail($helpDeskEmail, $subject, $message, $NULL)
    }
}
elseif (-not([System.String]::IsNullOrEmpty("%manager%")))
{
    UpdateManager "%manager%"

    # Send mail
    if ((-not([System.String]::IsNullOrEmpty("%adm-ManagerEmail%"))) -and (-not([System.String]::IsNullOrEmpty("%mail%"))))
    {        
        $Context.SendMail("%adm-ManagerEmail%, %mail%", $userManagerSubject, $userManagerEmailNotification, $NULL)
    }
    else
    {
        $subject = [System.String]::Format($noEmailSubjectTemplate, @("%adm-ManagerUserName%"))
        $message = [System.String]::Format($noEmailNotificationTemplate, @("%adm-ManagerUserName%"))
        $Context.SendMail($helpDeskEmail, $subject, $message, $NULL)
    }

}
elseif ([System.String]::IsNullOrEmpty("%manager%"))
{
    # Send mail
    $Context.SendMail($helpDeskEmail, $noManagerSubject, $norManagerEmailNotification, $NULL)

}

Comments

Dear Adaxes, once again many thanks for this! I'm just going through the script and to make this as automatic as possible, I'm trying to understand the sections where you have mentioend "# TODO: modify me" I believe this relates to the sections of the mail that should be variables e.g. %username%.

Would there be any way to automate the creation of the mail template with the correct usernames for the leavers manager and the leaver?

Regards Ben

---

Hello Ben,

Unfortunately, there is no such possibility. The templates need to be manually entered into the corresponding variables. As for the usernames in the templated, some are added using value references (e.g. %username%, %adm-ManagerUserName%) and some are identified using placeholders (e.g. {0}) and then replaced with corresponding values (e. g. username of the account with the required Job Title).