0 votes

We are looking for a way to (after creating account) check the number of groups associated with a user account and send an email if that number is 1 or less. We would like to use this as a check and balance to creating user accounts that may not be setup properly.

by (3.2k points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello,

Have a look at the following script from our repository: http://www.adaxes.com/script-repository ... r-s407.htm. If you have issues updating the script to meet your needs, we will help you.

0

I did see that previously, we only want to be notified when group membership equals 1 or less.

0

Hello,

You need to create a Custom Command that will send the notification and add an action to execute the command as the last action of your Business Rule triggering After Creating a User.
To create the Custom Command:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Custom Command.

  3. On step 2 of the Create Custom Command wizard, select User Object type and click Next.

  4. Click Add Action.

  5. Select Send e-mail notification.

  6. Specify Action Parameters and click OK.

  7. Double-click Always.

  8. Select If PowerShell script returns true and paste the script below into the Script field.

     $Context.ConditionIsMet = ($Context.TargetObject.GetEx("adm-DirectMemberOfGuid")).Length -le 2
  9. Enter a short description and click OK.

  10. Click Next and finish creating the Custom Command.

0

We want to use it as a scheduled task, can you provide the script to accomplish this?

0

Hello,

You just need to create a Scheduled Task instead of a Custom Command. The script will be exactly the same.

0

We did run it just as is and we simply get an email without the user(s).

0

Hello,

Could you specify the following:

  • Do you get an empty notification?
  • What exactly do you need to be present in the notification text?
0

The email notification simply returned the wording "The user is a member of only one group or less." We are looking for the script to return all the users in the Activity Scope with their Full Name or employeeID at best (both if possible).

0

Hello,

Thank you for clarifying.
You need to create a Scheduled Task that will execute the script below. No conditions are required for the task. The Scheduled Task should be configured for Domain-DNS object type.

$to = "recipient@domain.com" # TODO: modify me
$subject = "Group membership" # TODO: modify me
$reportHeader = "<b>Group membership</b><br/><br/>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

function SearchObjects($filter, $properties)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($properties)
    $searcher.VirtualRoot = $True

    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Search users
$searchResults = SearchObjects "(sAMAccountType=805306368)" @("memberOf", "cn", "employeeID")

# Build report
$records = New-Object "System.Text.StringBuilder"
foreach ($searchResult in $searchResults)
{
    # Check user groups
    $values = $searchResult.Properties["memberOf"].Values

    if ($values.Count -gt 1)
    {
        continue
    }

    # Add user to report
    [void]$records.Append("<tr>")
    [void]$records.Append("<td>")
    [void]$records.Append($searchResult.Properties["cn"].Value)
    [void]$records.Append("</td>")
    [void]$records.Append("<td>")
    [void]$records.Append($searchResult.Properties["employeeID"].Value)
    [void]$records.Append("</td>")
    [void]$records.Append("</tr>")
}

# Build html
$html = New-Object "System.Text.StringBuilder"
[void]$html.Append($reportHeader)
if ($records.Length -eq 0)
{
    [void]$html.Append("<b>Users not found</b>")
}
else
{
    [void]$html.Append("<table border=""1"">")
    [void]$html.Append("<tr><th>Full Name</th><th>Employee ID</th></tr>")
    [void]$html.Append($records.ToString())
    [void]$html.Append("</table>")
}
[void]$html.Append($reportFooter)

# Send mail
$Context.SendMail($to, $subject, $NULL, $html.ToString())
0

When we run this scheduled task, we get nothing back. After checking the affected objects button in the Scheduled Task we get no objects. Please advise.

0

Hello,

Could you provide us with a screenshot of the Scheduled Task configuration? We need something like the following:

0

Support, see below.

0

Hello,

What about the Activity Scope of the task, did you assign it over a domain? If you did not, change the Activity Scope to include only domains and try to run the Scheduled Task again.

0

Currently it is only assigned over the Staging OU wer use for testing. Which in this case will also be the staging OU for the accounts until the go live date.

I also just changed to the following setup to try running against the whole domain if the DomainDNS is located in the container we want.

0

Hello,

The task must have a domain in the Activity Scope, not an OU. Otherwise, the script will not work.

0

Ok the domain for our company is now in the activity scope as seen in the previous screenshot. When we run it, nothing happens.

0

Hello,

Did you update the recipient email address in the script? If you did, could you check the Activity History of the Scheduled Task? If there are any error messages in it, could you provide us with screenshots?

0

The Activity Scope shows nothing. I included the text as it appears in our script.

$to = "eca@aspendental.com" # TODO: modify me
$subject = "Adaxes Alert - group membership" # TODO: modify me
$reportHeader = "<b>Group membership</b><br/><br/>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

function SearchObjects($filter, $properties)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($properties)
    $searcher.VirtualRoot = $True

    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Search users
$searchResults = SearchObjects "(sAMAccountType=805306368)" @("memberOf", "cn", "employeeID")

# Build report
$records = New-Object "System.Text.StringBuilder"
foreach ($searchResult in $searchResults)
{
    # Check user groups
    $values = $searchResult.Properties["memberOf"].Values

    if ($values.Count -gt 2)
    {
        continue
    }

    # Add user to report
    [void]$records.Append("<tr>")
    [void]$records.Append("<td>")
    [void]$records.Append($searchResult.Properties["cn"].Value)
    [void]$records.Append("</td>")
    [void]$records.Append("<td>")
    [void]$records.Append($searchResult.Properties["employeeID"].Value)
    [void]$records.Append("</td>")
    [void]$records.Append("</tr>")
}

# Build html
$html = New-Object "System.Text.StringBuilder"
[void]$html.Append($reportHeader)
if ($records.Length -eq 0)
{
    [void]$html.Append("<b>Users not found</b>")
}
else
{
    [void]$html.Append("<table border=""1"">")
    [void]$html.Append("<tr><th>Full Name</th><th>Employee ID</th></tr>")
    [void]$html.Append($records.ToString())
    [void]$html.Append("</table>")
}
[void]$html.Append($reportFooter)

# Send mail
$Context.SendMail($to, $subject, $NULL, $html.ToString())
0

Hello,

As we can see, you have added the If located under condition to the Scheduled Task. Domains are not located under any OUs, thus the task does not get executed. Remove the condition and try running the script again.

If you need to include only users from a specific OU into the report, we will update the script for you.

0

Yes we would want only the OU listed in the screenshot to be searched.

0

Hello,

Thank you for clarifying. You need to create a Scheduled Task configured for Organizational Unit Object type. No conditions need be added to the task. To create the Scheduled Task:

  1. Launch Adaxes Administration Console.

  2. Right-click your Adaxes service node, navigate to New and click Scheduled Task.

  3. On step 3 of Create Scheduled Task wizard select Organizational-Unit Object type and click Next.

  4. Click Add Action and select Run a program or Powershell script.

  5. Enter a short description and paste the script below into the Script field. Do not change any lines in the script that do not have the TODO: Modify me comment.

     $to = "recipient@domain.com" # TODO: modify me
     $subject = "Group membership" # TODO: modify me
     $reportHeader = "<b>Group membership</b><br/><br/>" # TODO: modify me
     $reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me
    
     function SearchObjects($filter, $properties)
     {
         $searcher = $Context.TargetObject
         $searcher.SearchFilter = $filter
         $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
         $searcher.PageSize = 500
         $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
         $searcher.SetPropertiesToLoad($properties)
    
         try
         {
             $searchResultIterator = $searcher.ExecuteSearch()
             $searchResults = $searchResultIterator.FetchAll()
    
             return ,$searchResults
         }
         finally
         {
             # Release resources
             if ($searchResultIterator){ $searchResultIterator.Dispose() }
         }
     }
    
     # Search users
     $searchResults = SearchObjects "(sAMAccountType=805306368)" @("memberOf", "cn", "employeeID")
    
     # Build report
     $records = New-Object "System.Text.StringBuilder"
     foreach ($searchResult in $searchResults)
     {
         # Check user groups
         $values = $searchResult.Properties["memberOf"].Values
    
         if ($values.Count -gt 1)
         {
             continue
         }
    
         # Add user to report
         [void]$records.Append("<tr>")
         [void]$records.Append("<td>")
         [void]$records.Append($searchResult.Properties["cn"].Value)
         [void]$records.Append("</td>")
         [void]$records.Append("<td>")
         [void]$records.Append($searchResult.Properties["employeeID"].Value)
         [void]$records.Append("</td>")
         [void]$records.Append("</tr>")
     }
    
     # Build html
     $html = New-Object "System.Text.StringBuilder"
     [void]$html.Append($reportHeader)
     if ($records.Length -eq 0)
     {
         [void]$html.Append("<b>Users not found</b>")
     }
     else
     {
         [void]$html.Append("<table border=""1"">")
         [void]$html.Append("<tr><th>Full Name</th><th>Employee ID</th></tr>")
         [void]$html.Append($records.ToString())
         [void]$html.Append("</table>")
     }
     [void]$html.Append($reportFooter)
    
     # Send mail
     $Context.SendMail($to, $subject, $NULL, $html.ToString())

  6. Click OK and then click Next.

  7. Click Add on the Activity Scope page and double-click the User Staging OU.

  8. Important: Select only This Organizational-Unit checkbox.

  9. Click OK twice and finish creating the Scheduled Task.

0

Thank you Support2 this worked perfectly.

Related questions

0 votes
1 answer

Hi support, We have security groups named like Test-Group--Users, where is different for each group. I have a powershell query which gets a list of those Test-Group--Users" ... only Test-Group-&lt;variable&gt;-User that user is member of but it is an array

asked Oct 31 by Vish539 (460 points)
0 votes
1 answer

Our helpdesk asked for a solution to easily compare 'member of' details between 2 (or more) users so they can see the differences in group memberships.

asked Oct 28 by ddesmedt (40 points)
0 votes
1 answer

We're delegating admin rights to our various IT departments, only giving them access over their stuff under their OUs. They're missing the option to see the group membership ... on user's management history, is there another approach that I'm not aware of?

asked Sep 18 by felix (150 points)
0 votes
1 answer

We are looking for a way to allow AD users to manage group memberships of groups they have been set as Manager for - and would like to know if we can achieve this with Adaxes? We are thinking a easy to use web portal.

asked Apr 17 by Nicolaj Rasmussen (20 points)
0 votes
1 answer

I'm trying to implement the script on https://www.adaxes.com/script-repository/changes-in-group-membership-including-changes-made-by-3rd-party-tools-s289.htm. I added my ... is set to run hourly on Domain Admins, and Exchange Admin "group" objects. Thanks

asked Feb 26 by stevehalvorson (110 points)
3,552 questions
3,242 answers
8,243 comments
547,829 users