Report - objets not matching property pattern

Question

Hello,

Often objects are moved from one OU to another. In some cases the OU does not have the same property patterns applied to them, and the user become inconsistent with the new pattern.

Right now, this get remediated the next time someone want to edit the user.

In our opinion, the proper solution to this problem would be a report listing objects breaching the property patterns. But we do not know how to get started to build this one

Thanks !

Comments

Hello Pierre,

Could you, please, specify what version of Adaxes you are currently using? To check that:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click your service.
3. In the context menu, click Properties.
   
4. Adaxes version will be displayed on the General tab.
   

---

Dear support,

We are currently running 3.9.15631.0.

But we'll move to the latest version very very soon.

Best regards,

Pierre

Answer 1

Hello Pierre,

Thank you for specifying.

You can use a report that will be generated by the below script. For information on how to create reports, have a look at the following tutorial: https://www.adaxes.com/tutorials_Active ... Report.htm. On step 3, create a scope that will include objects in an Active Directory location (e.g. Organizational Unit).

function IsUserPropertiesValid($propertyPatternDN, $userPropertyList)
{
    # Bind to the Property Pattern
    $propertyPattern = $Context.BindToObjectByDN($propertyPatternDN)
    foreach($item in $propertyPattern.Items)
    {
        # Get property entry
        try
        {
            $propertyEntry = $userPropertyList.Item($item.PropertyName)
        }
        catch
        {
            continue
        }
        $propertyEntry.ControlCode = "ADS_PROPERTY_UPDATE"

        # Get constraints
        $constraints = $item.GetConstraints()
        foreach($constraint in $constraints)
        {
            $errorMsg = $NULL
            if ($constraint.Check($propertyEntry, $user, [ref]$errorMsg))
            {
                continue
            }
            return $False
        }
    }

    return $True
}

try
{
    $Context.DirectorySearcher.AppendFilter("(sAMAccountType=805306368)")
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $user = $Context.BindToObjectBySearchResult($searchIterator.Current)

        # Get Property Patterns effective for the user
        try
        {
            $propertyPatternDNs = $user.GetEx("adm-EffectivePropertyPatterns")
        }
        catch
        {
            continue
        }

        $user.GetInfo()
        $userPropertyList = $user.PropertyList
        foreach($propertyPatternDN in $propertyPatternDNs)
        {
            if (IsUserPropertiesValid $propertyPatternDN $userPropertyList)
            {
                continue
            }

            $Context.Items.Add($user)
            break
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Comments

Dear support,

Thank you very very much. It works great.

Cheers !

---

Dear support,

I am trying to add a column in the report, containing the name of the attributes that are not matching.

I already figured out that I might need to mess around with the $Context object. Is there any documentation that precisely describe how to manipulate it? I only found this one: https://www.adaxes.com/tutorials_Active ... Report.htm but it does not goes into enough details.

Thank you in advance for your support

---

Hello Pierre,

As we understand, you want to create report specific columns that will be generated by PowerShell scripts. For details on creating the columns, see section How to create a report-specific column of step 5 in the tutorial you referenced: https://www.adaxes.com/tutorials_Active ... #collapse3.

---

I could do it this way, yes but I would need to do the same computation as in the one in the report just for the column.

The report is already pretty slow, and I would fear that this will slow it down by a huge margin.

I was wondering if it would be somehow possible to create the additional column from the main script.

---

Hello Pierre,

As another approach, the report can check all users for which a specific Property Pattern is effective instead of checking Property Patterns for users in a specific OU. In this case, it will work faster. The report will contain items grouped by user. Each item in a group will include the property name, current value and an error message specifying the constraint that should be met. The report will have no scope, only a parameter that will be used for Property Pattern selection.

If this solution meets your needs, we will provide you with detailed instructions.