Find managed object on Deprovision

Question

Looking for a way to get notified that a deprovisioned user is set as a manager to one or more objects. I would like to have the action check and see if the user is a manager on any objects and notify via email that this user that has been deprovisioned by initiator is a manger on these objects

Thanks for any help

Comments

Hello,

This will require a script to accomplish. It is possible to create a script that send such an email and execute it as a part of the Custom Command that you use for user deprovisioning. We've assigned our script guys the task to write such a script for you and will get back to you as soon as they come up with something.

---

Hello,

Our script guys want to clarify a couple of things:

1. What do you mean by 'manager to one or more objects' ? Do you mean the users for whom the deprovisioned user is specified as the manager in the Manager property or the objects (such as a groups and OUs, for example) for which the deprovisioned user is specified in the Managed By property? Or maybe both?
2. What about levels of subordination? Should the email contain only those objects for which the deprovisioned user is directly assigned as the manager or also objects for which the deprovisioned user is assigned as the manager via membership in certain groups, for example?

---

1. Both. It would be both the users that they manage and the groups that are set with them as the managedby. As the manager of the group, they receive or can receive approval requests when users are added to the group or they can manage it themselves. For certain user accounts, an approval is sent to the manager to approve the extension of the account expiration.
2. Only directly assigned as the manager

Thank you

Answer 1

Hello,

Here's a script that does what you need:

# Email message setings
$to = "recipient@domain.com" # TODO: modify me
$subject = "My Subject" # TODO: modify me
$htmlReportHeader = "<h1><b>Objects Managed by %name%</b></h1><br/>" # TODO: modify me
$htmlReportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

# Get all direct reports
try
{
    $directReports = $Context.TargetObject.GetEx("directReports")
}
catch
{
    $directReports = $NULL
    $subordinates = "The user doesn't have any direct reports.<br />"
}

# Get names of all the direct reports and add them to the report
if ($directReports -ne $NULL)
{
    $subordinates = "<b>Direct Reports:</b><br /><ol>"
    foreach ($directReport in $directReports)
    {
        # Bind to user
        $user = $Context.BindToObjectByDN($directReport)

        # Get username and guid
        $username = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($user, 'IncludeParentPath')
        $userGuid = [Guid] $user.Get("ObjectGuid")

        # Add to report
        $subordinates += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
    }
    $subordinates += "</ol>"
}

# Get all managed objects
try
{
    $managedObjectDNs = $Context.TargetObject.Get("managedObjects")
}
catch
{
    $managedObjectDNs = $NULL
    $managedObjects = "The user doesn't have any managed objects."
}

# Get names of all managed object and add them to the report
if ($managedObjectDNs -ne $NULL)
{
    $managedObjects = "<b>Managed objects:</b><br /><ol>"
    foreach ($managedObjectDN in $managedObjectDNs)
    {
        # Bind to object
        $object = $Context.BindToObjectByDN($managedObjectDN)

        # Get object name and guid
        $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object, 'IncludeParentPath')
        $objectGuid = [Guid] $object.Get("ObjectGuid")

        # Add to report
        $managedObjects += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$objectGuid'>$objectName</a></li>"
    }
    $managedObjects += "</ol>"
}

# Build the report
$htmlBody = $htmlReportHeader + $subordinates + $managedObjects + $htmlReportFooter

# Send mail
$Context.SendMail($to, $subject, $NULL, $htmlBody)

In the script, modify the following to meet your requirements:

• $to - specifies the notification recipient,
• $subject- specifies the e-mail message subject,
• $htmlReportHeader - specifies the report header (text before the list of managed objects),
• $htmlReportFooter - specifies the report header (text after the list of managed objects).

To create lists of managed objects automatically when deprovisioning users, you need to modify the Custom Command that you use for deprovisioning as follows:

1. Launch Adaxes Administration Console.
2. In the Console Tree, expand the service node that represents your Adaxes service.
3. Navigate to and select the the Custom Command that you use for deprovisioning. The actions and conditions of the Custom Command will be displayed in thew Result Pane (located to the right).
   
4. Right-click an action that is always executed and select Add New Action.
   
   If all of the actions are executed only when certain conditions are met, right-click below all the actions and conditions, and then click Add Action to New Set.
   
5. Select the Run a program or PowerShell script action.
6. Paste the above script in the Script field.
   
7. Enter a short description for the script and click OK.
8. Save the Custom Command.