0 votes

Hello,

Often objects are moved from one OU to another. In some cases the OU does not have the same property patterns applied to them, and the user become inconsistent with the new pattern.

Right now, this get remediated the next time someone want to edit the user.

In our opinion, the proper solution to this problem would be a report listing objects breaching the property patterns. But we do not know how to get started to build this one

Thanks !

by (750 points)
0

Hello Pierre,

Could you, please, specify what version of Adaxes you are currently using? To check that:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service.
  3. In the context menu, click Properties.
  4. Adaxes version will be displayed on the General tab.
0

Dear support,

We are currently running 3.9.15631.0.

But we'll move to the latest version very very soon.

Best regards,

Pierre

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Pierre,

Thank you for specifying.

You can use a report that will be generated by the below script. For information on how to create reports, have a look at the following tutorial: https://www.adaxes.com/tutorials_Active ... Report.htm. On step 3, create a scope that will include objects in an Active Directory location (e.g. Organizational Unit).

function IsUserPropertiesValid($propertyPatternDN, $userPropertyList)
{
    # Bind to the Property Pattern
    $propertyPattern = $Context.BindToObjectByDN($propertyPatternDN)
    foreach($item in $propertyPattern.Items)
    {
        # Get property entry
        try
        {
            $propertyEntry = $userPropertyList.Item($item.PropertyName)
        }
        catch
        {
            continue
        }
        $propertyEntry.ControlCode = "ADS_PROPERTY_UPDATE"

        # Get constraints
        $constraints = $item.GetConstraints()
        foreach($constraint in $constraints)
        {
            $errorMsg = $NULL
            if ($constraint.Check($propertyEntry, $user, [ref]$errorMsg))
            {
                continue
            }
            return $False
        }
    }

    return $True
}

try
{
    $Context.DirectorySearcher.AppendFilter("(sAMAccountType=805306368)")
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $user = $Context.BindToObjectBySearchResult($searchIterator.Current)

        # Get Property Patterns effective for the user
        try
        {
            $propertyPatternDNs = $user.GetEx("adm-EffectivePropertyPatterns")
        }
        catch
        {
            continue
        }

        $user.GetInfo()
        $userPropertyList = $user.PropertyList
        foreach($propertyPatternDN in $propertyPatternDNs)
        {
            if (IsUserPropertiesValid $propertyPatternDN $userPropertyList)
            {
                continue
            }

            $Context.Items.Add($user)
            break
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
0

Dear support,

Thank you very very much. It works great.

Cheers !

0

Dear support,

I am trying to add a column in the report, containing the name of the attributes that are not matching.

I already figured out that I might need to mess around with the $Context object. Is there any documentation that precisely describe how to manipulate it? I only found this one: https://www.adaxes.com/tutorials_Active ... Report.htm but it does not goes into enough details.

Thank you in advance for your support

0

Hello Pierre,

As we understand, you want to create report specific columns that will be generated by PowerShell scripts. For details on creating the columns, see section How to create a report-specific column of step 5 in the tutorial you referenced: https://www.adaxes.com/tutorials_Active ... #collapse3.

0

I could do it this way, yes but I would need to do the same computation as in the one in the report just for the column.

The report is already pretty slow, and I would fear that this will slow it down by a huge margin.

I was wondering if it would be somehow possible to create the additional column from the main script.

0

Hello Pierre,

As another approach, the report can check all users for which a specific Property Pattern is effective instead of checking Property Patterns for users in a specific OU. In this case, it will work faster. The report will contain items grouped by user. Each item in a group will include the property name, current value and an error message specifying the constraint that should be met. The report will have no scope, only a parameter that will be used for Property Pattern selection.

If this solution meets your needs, we will provide you with detailed instructions.

Related questions

0 votes
1 answer

We've built a custom command that sends our EULA to people via email if their department is a certain value, otherwise it sends it to the initiator. This is part of ... the condition: How can I set the condition to test whether otheMailbox is present or not?

asked Aug 19, 2020 by johnsonua (390 points)
0 votes
1 answer

Hello, I am having issues with Reports not matching the results in the Console and Web UI. Below, you can see that the Adaxes Console only has 8 Workstations listed, but on the ... UI. Any help is appreciated, let me know if there is any questions. Thank You!

asked Jul 23, 2023 by Edogstraus00 (490 points)
+1 vote
1 answer

I see many questions regarding this in the Forum, and last solution is from 2014 - based on custom PS script, has something in the product come up that solves this ... outputs users that does not comply to property pattern in order to upkeep AD sanity. Thanks

asked Jan 21, 2021 by spinnetho (50 points)
0 votes
1 answer

We have a form to used by our HR Reps to create non-employee records. There are two fields on the form that are auto-generated via a property pattern: Full Name ( ... changed to cause this new behavior? Nothing has changed with our property pattern set-up...

asked Aug 30, 2016 by sandramnc (870 points)
0 votes
1 answer

I've searched the forum and not found an answer. I think other people could use this tool also. We need a way for group owners to audit the membership of the groups they ... If you have any part of this, like existing powershell code, I'd appreciate seeing it.

asked May 1, 2015 by theckel (520 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users