Adaxes

Accounts not part of distribution groups

0 votes

Hello,

I am needing to email a list of user accounts that are not part of any distribution groups that start with "POD-" how can do that?

by (1.3k points)
0

Hello,

It can be done by scheduling a report generated by a script. For us to help you with the script, please, specify whether you have only distribution groups whose name starts with POD- or there are also security groups matching the pattern? If latter is the case, do we understand correctly that membership in the security groups should not influence the report?

by (289k points)
0

We have both and memberships in the security groups should not influence the report

by (1.3k points)

1 Answer

0 votes
by (289k points)
reshown by

Hello,

Thank you for specifying. Below is the script for generating the report you need. For information on how to create and schedule reports, have a look at the following tutorials:

In the script:

  • $groupIdentityProperty – Specifies the LDAP name of the property that will be used to find groups whose members will be excluded from the report.
  • $groupIdentityTemplate – Specifies a template for the property value that will be used to find the groups.
$groupIdentityProperty = "name" # TODO: modify me
$groupIdentityTemplate = "POD-*"  # TODO: modify me

# Group search parameters
$groupSearcher = New-Object Softerra.Adaxes.Adsi.Search.DirectorySearcher $NULL, $False
$groupSearcher.SearchParameters.VirtualRoot = $True
$groupSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
$groupSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$groupSearcher.SearchParameters.Filter = "(&(objectCategory=group)($groupIdentityProperty=$groupIdentityTemplate)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$groupSearcher.SearchParameters.PageSize = 500
$groupSearcher.SearchParameters.PropertiesToLoad.Add("distinguishedName")

# Build search filter for users
$userFilter = New-Object System.Text.StringBuilder
$userFilter.Append("(&(sAMAccountType=805306368)")
try
{
    $searchIterator = $groupSearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]
        $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("memberOf", $groupDN)
        $userFilter.Append("(!$filterPart)")
    }
    $userFilter.Append(")")
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

# Generate report
$Context.DirectorySearcher.SearchFilter = $userFilter.ToString()
$Context.Items.Add($Context.DirectorySearcher)
0

This pulls a list of accounts that ARE part of a distribution groups that start with POD-. How to I update iot to show accounts that are not part of distribution groups that start with POD-? Also can it only pull Active accounts?

by (1.3k points)
0

Hello,

How to I update iot to show accounts that are not part of distribution groups that start with POD-?

The script we provided does exactly what you need. It returns accounts that are not members of the groups matching the specified template. Make sure that you specify a correct property and template in the corresponding variables.

Also can it only pull Active accounts?

What exactly do you mean by active account? Do you mean enabled ones?

by (289k points)
0

Sorry, Yes enabled accounts.

by (1.3k points)
0

Hello,

Thank you for the confirmation. Here is the updated script.

$groupIdentityProperty = "name" # TODO: modify me
$groupIdentityTemplate = "POD-*"  # TODO: modify me

# Group search parameters
$groupSearcher = New-Object Softerra.Adaxes.Adsi.Search.DirectorySearcher $NULL, $False
$groupSearcher.SearchParameters.VirtualRoot = $True
$groupSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
$groupSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$groupSearcher.SearchParameters.Filter = "(&(objectCategory=group)($groupIdentityProperty=$groupIdentityTemplate)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$groupSearcher.SearchParameters.PageSize = 500
$groupSearcher.SearchParameters.PropertiesToLoad.Add("distinguishedName")

# Build search filter for users
$userFilter = New-Object System.Text.StringBuilder
$userFilter.Append("(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))")
try
{
    $searchIterator = $groupSearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]
        $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("memberOf", $groupDN)
        $userFilter.Append("(!$filterPart)")
    }
    $userFilter.Append(")")
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

# Generate report
$Context.DirectorySearcher.SearchFilter = $userFilter.ToString()
$Context.Items.Add($Context.DirectorySearcher)
by (289k points)
0

Thank you, The disable account are now gone but i'm still getting distrobution groups that start with POD- image.png

by (1.3k points)
0

Hello,

Sorry for the confusion, but we are not sure what exactly you mean. The report only includes users, not groups. And they are only users that are not members of groups that meet the template. Your screenshot contains the Member Of section when viewing properties of a user in the Administration console, not a report. Please, make sure that you specify the $groupIdentityProperty and $groupIdentityTemplate variable values properly in your script. It might be so that a different property should be used.

by (289k points)

Related questions

0 votes
1 answer
As part of offboarding users I need to keep a note of all AD/Entra groups, Azure / M365 roles and licenses

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
0 answers
Distribution groups not showing exchange properties anymore

Hi all, We have Adaxes running in our environment. We don't have an on-prem Exchange environment, everything is in Exchange online. Our existing distrubution groups all ... how to get the exchange properties back for newly created groups? Kind regards, Eddy

asked Dec 8, 2022 by eddy1985 (20 points)
0 votes
1 answer
Distribution Groups not listed outlook adress book

Hi, I created a distribution group via adaxes web interface. And Established e-mail address for the group. And "Automaticaly update e-mail addresses based on e-mail address policy" ... work fine. I make a mistake but I can not find it. Any suggestion. Thanks

asked Nov 12, 2013 by Erkan.Ozturk (40 points)
0 votes
1 answer
Deleting an AD group is not being detected as a change of membership in its parent groups.

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
0 votes
0 answers
Report not showing members of selected groups

When I run the above script after selecting groups the custom field "Group" is not showing one of the selected groups and not all of the groups are being reported ... 2 specific security groups are appearing and neither in one that was included in the search

asked Nov 18, 2021 by A_Pastor (70 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users