0 votes

I'm trying to modify this report to only output results where employeeType equals the values below. It reports fine. I would also like to include where employeeType is blank or has no value. I can't seem to figure out how to set the search filter to a blank or null value.

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdInt64 = $threshold.ToFileTime()

$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))"
$filterPasswordLastSet = "(&(!(pwdLastSet=0))(pwdLastSet<=$thresholdInt64))"
$enabledUser = "(&(!(userAccountControl:1.2.840.113556.1.4.803:=514)))"
$customAttribute = "(|(employeeType=service)(|(employeeType=admin)))"
$filter = "(&" + $filterUsers + $filterPasswordLastSet + $customAttribute + $enabledUser + ")"
by (330 points)
0

Hello,

For us to suggest a solution, please, provide us with the below details. You can post them here or send to us at support@adaxes.com.

  • A screenshot of the Multi-server environment dialog. The dialog displays how many Adaxes services you have and what their versions are. For information on how to view it, see https://www.adaxes.com/help/MultiServerEnvironment.
  • The entire script you are using.
  • If the script is from a built-in report, specify the report name.
0

The script is built in - Passwords not changed in 300 days.

Here is the full script with my small modification to filter employeeType.

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("userAccountControl")
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("accountExpires")
}

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdInt64 = $threshold.ToFileTime()

$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))"
$filterPasswordLastSet = "(&(!(pwdLastSet=0))(pwdLastSet<=$thresholdInt64))"
$enabledUser = "(&(!(userAccountControl:1.2.840.113556.1.4.803:=514)))"
$customAttribute = "(|(employeeType=admin)(|(employeeType=service)))"
$filter = "(&" + $filterUsers + $filterPasswordLastSet + $customAttribute + $enabledUser + ")"

# Append the search filter
$Context.DirectorySearcher.AppendFilter($filter)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if ($styleHighlighted -eq $NULL)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

image.png

0

Hello,

Sorry for the confusion, but there is no such built-in report. Please, provide the entire script you are using.

0

I have attached it to the first comment.

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

Yes, you are right, sorry for missing it. As we can see, you are using Adaxes 2023.2 and the script from built-in report Passwords changed long ago. Starting with version 2023, criteria was added to Adaxes and that is something you should use instead of LDAP filters. For details on how to build criteria, see https://adaxes.com/sdk/HowDoI.BuildCriteria. We updated your script accordingly and added the options you requested. Here is the final script:

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.AddRange(@(
        "userAccountControl", "accountExpires"))
}

# Set search criteria
$threshold = (Get-Date).AddDays(- $days)
$criteria = New-AdmCriteria "user" {(mailboxType -ne "shared") -and (pwdLastSet -lt $threshold) -and (accountDisabled -eq $false)}
$criteria["user"].Add({(employeeType -eq "admin") -or (employeeType -eq "service") -or (employeeType -empty $True)})
$Context.DirectorySearcher.AddCriteria($criteria)

# Build the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if (-not $styleHighlighted)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

Hi, we currenlty have a business rule to send an email everytime the Title, Manager, Department, accountExpires, EmployeeType or FirstName attributes are ... Unit: %BusinessUnit% End Date: %accountExpires% Effective Date of Change: %adm-CustomAttributeDate2%

asked Feb 14 by KevC (60 points)
0 votes
1 answer

We are implementing the new version of LAPS built into Windows 10 with KB5025221. I've added the attribute to the Management Views for Computers, but the password is not being ... we have not loaded it into AD and plan to use the latest implementation of LAPS.

asked Jul 12, 2023 by jshields (20 points)
0 votes
0 answers

Hi, We have noticed an issue on a number of workstations that have Adaxes installed (or had installed, we've tried uninstalling it) where that if a user changes their ... FDE is still using the old password. Have you come across anything like this before?

asked Sep 24, 2019 by SYNSOL-DAN (40 points)
0 votes
1 answer

We have a preoperty pattern for accepted Country names which has a list of codes. For our case country code VM which "Vietnam" and I believe based on some google research "Viet Nam" is also correct.

asked Jul 12 by Vish539 (460 points)
0 votes
1 answer

Is it possible to remove the default blank option that shows up in a multi-value field? When I add two possible options for a multi-value field in the Property Pattern constraint, ... along with the other two options. Is it possible to get rid of the blank?

asked Mar 8, 2017 by sdavidson (730 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users