0 votes

Is there a way to generate a list of disabled accounts that have direct reports?

by (470 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Update 2018

Starting with version 2018.1 you can create custom reports. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateReport.htm. Also, there is a number of built-in reports including the Subordinates of a user one that can be used to view direct reports of a user. By default, the report is located in container Reports\All Reports\users\Managers and Subordinates.

Original

Hello,

In the next version of Adaxes, Adaxes 2015.1, we'll implement the possibility to build custom reports. Starting from that version, you'll be able to build such a report using Adaxes built-in functionality. Currently, this can be done using PowerShell scripting only. For example, you can use a PowerShell script that builds such a report in the HTML format and sends it by e-mail. Also, you can create a Scheduled Task that runs the script to receive the report on a certain schedule (say, once a month) or create a Custom Command to generate it on demand.

To create a Scheduled Task that generates a report on disabled managers in all domains managed by Adaxes:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

  3. Select the Domain-DNS object type. Running the Task on a domain allows to run the script only once per a Task run.

  4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $to = "recipient@example.com" # TODO: modify me
    
     function GetObjectDisplayName($objectDN)
     {
         $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath"`
             -ArgumentList @($null, $objectDN)   
         return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName(
             $objectPath, "IncludeParentPath")
     }
    
     # Get the default Web Interface address
     $webInterfaceAddress = "%adm-WebInterfaceUrl%"
     $appendWebInterFaceLink = $True
     if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
     {
         $appendWebInterFaceLink = $False
         $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
     }
    
     $htmlBuilder = New-Object "System.Text.StringBuilder"
     $htmlBuilder.append("<html><head>")
     $htmlBuilder.append("<meta http-equiv=""Content-Type""`
         content=""text/html charset=UTF-8""></head>")
     $htmlBuilder.append("<body>")
     $htmlBuilder.append("<p>Disabled Managers</p>")
     $htmlBuilder.append("<table width=""100%%"" border=""1"">")
     $htmlBuilder.append("<tr>")
     $htmlBuilder.append("<th>Full Name</th><th>Username</th>
     <th>Parent</th><th>Direct Reports</th>")
     if ($appendWebInterFaceLink)
     {
         $htmlBuilder.append("<th>Link</th>")
     }
    
     $htmlBuilder.append("</tr>")
    
     # Find disabled managers
     $searcher = $Context.BindToObject("Adaxes://rootDSE")
     $searcher.PageSize = 500
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.SearchFilter = "(&(objectCategory=user)(samAccountName=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
     $searcher.VirtualRoot = $True
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $disabledManagers = $searchResult.FetchAll()
    
         # Add information on each disabled manager to the report
         if ($disabledManagers.Count -gt 0)
         {
             foreach ($manager in $disabledManagers)
             {
                 $manager = $Context.BindToObject($manager.AdsPath)
                 $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $manager.Get("distinguishedName")
                 $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
                 $htmlBuilder.append("<tr>")
                 $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("name"))
                 $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("sAMAccountName"))
                 $htmlBuilder.appendFormat("<td>{0}</td>", $parentDisplayName)
    
                 # Append direct reports
                 $htmlBuilder.append("<td>")
                 foreach ($directReportDN in $manager.GetEx("directReports"))
                 {
                     $directReport = $Context.BindToObjectByDN($directReportDN)
                     $htmlBuilder.appendFormat("{0} ({1})<br />", $directReport.Get("name"), $directReport.Get("sAMAccountName"))
                 }
                 $htmlBuilder.append("</td>")
    
                 if ($appendWebInterFaceLink)
                 {
                     $htmlBuilder.appendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$manager.Get("objectGUID"))
                 }
                 $htmlBuilder.append("</tr>")
             }
         }
    
         $htmlBuilder.append("</table>")
         $htmlBuilder.appendFormat("Total: {0} managers", $disabledManagers.Count.ToString())
         $htmlBuilder.append("</body></html>")
    
         $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
     }
     finally
     {
         $searchResult.Dispose()
     }
    
  5. In the script $to specifies the e-mail address of the recipient to whom the report will be sent. Modify it as necessary.

  6. Add a short description for the script and click OK.

  7. On the 5th step, assign the Scheduled Task over any of your AD domains.

  8. Click Finish.

0

Hello,

I've implemented this script on our system and have added the additional code so it doesn't show direct reports which are disabled.

Is there a way to ensure that disabled manager accounts are not reported on if all direct reports are disabled?

Thanks
Danny

0

Hello Danny,

Here you are.

$to = "recipient@domain.com" # TODO: modify me

function GetObjectDisplayName($objectDN)
{
    $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath" -ArgumentList @($null, $objectDN)
    return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($objectPath, "IncludeParentPath")
}

function SearchObjects($baseObjectPath, $filter, $propertiesToLoad)
{
    $searcher = $Context.BindToObject($baseObjectPath)
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchFilter = $filter
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($propertiesToLoad)

    $result = @{}
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        foreach ($objectID in $objects)
        {
            $properties = @{}
            foreach ($propertyName in $propertiesToLoad)
            {
                if ($propertyName -eq "directReports")
                {
                    $values = @()
                    foreach ($value in $objectID.Properties[$propertyName].Values)
                    {
                        $values += $value
                    }
                    $properties.Add($propertyName, $values) | Out-Null
                }
                else
                {
                    $properties.Add($propertyName, $objectID.Properties[$propertyName].Value) | Out-Null
                }

            }
            $result.Add($objectID.AdsPath, $properties)
        }
        return $result
    }
    finally
    {
        $searchResult.Dispose()
    }
}

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
$appendWebInterFaceLink = $True
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $appendWebInterFaceLink = $False
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

$htmlBuilder = New-Object "System.Text.StringBuilder"
$htmlBuilder.Append("<html><head>")
$htmlBuilder.Append("<meta http-equiv=""Content-Type""`
   content=""text/html charset=UTF-8""></head>")
$htmlBuilder.Append("<body>")
$htmlBuilder.Append("<p>Disabled Managers</p>")
$htmlBuilder.Append("<table width=""100%%"" border=""1"">")
$htmlBuilder.Append("<tr>")
$htmlBuilder.Append("<th>Full Name</th><th>Username</th>
   <th>Parent</th><th>Enabled Direct Reports</th>")
if ($appendWebInterfaceLink)
{
    $htmlBuilder.Append("<th>Link</th>")
}

$htmlBuilder.Append("</tr>")

# Find disabled managers with direct reports
$managerFilter = "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
$propertiesToLoad = @("directReports", "distinguishedName", "name", "sAMAccountName", "objectGUID")
$disabledManagers = SearchObjects $Context.TargetObject.AdsPath $managerFilter $propertiesToLoad
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$totalManagerCount = 0
foreach ($managerPath in $disabledManagers.Keys)
{
    # Get direct reports

    # Build filter
    $managerProperties = $disabledManagers[$managerPath]
    $filter = New-Object "System.Text.StringBuilder"
    $filter.Append("(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|")
    foreach ($directReportDN in $managerProperties["directReports"])
    {
        $filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $directReportDN)) | Out-Null
    }
    $filter.Append("))")

    # Search enabled direct reports
    $directReports = SearchObjects "Adaxes://$domainName/rootDSE" $filter.ToString() @("name", "sAMAccountName")
    if ($directReports.Count -eq 0)
    {
        continue # Skip manager if all direct reports are disabled
    }

    # Add manager info to the report
    $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $managerProperties["distinguishedName"]
    $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
    $htmlBuilder.Append("<tr>")
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["name"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["sAMAccountName"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $parentDisplayName)

    # Add direct reports to the report
    $htmlBuilder.Append("<td>")
    foreach ($directReportPath in $directReports.Keys)
    {
        $directReportProperties = $directReports[$directReportPath]
        $htmlBuilder.AppendFormat("{0} ({1})<br />", $directReportProperties["name"], $directReportProperties["sAMAccountName"])
    }
    $htmlBuilder.Append("</td>")

    if ($appendWebInterfaceLink)
    {
        $htmlBuilder.AppendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$managerProperties["objectGUID"])
    }
    $htmlBuilder.Append("</tr>")
    $totalManagerCount++
}

$htmlBuilder.Append("</table>")
$htmlBuilder.AppendFormat("Total: {0} managers", $totalManagerCount)
$htmlBuilder.Append("</body></html>")

if ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}
0

Perfect thank you for the excellent support.

I made a single change to the last line which stops the email if the manager count is 0.

If ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}
0

Danny,

That's a good catch! Thank you for the update and for your good words. We really appreciate that.

0

Thanks for your assistance. It took me a little while to figure out why it still wasn't working but I hadn't changed the scheduled task from DomainDNS to OrganisationUnit :lol:

Thanks again!

Related questions

0 votes
1 answer

Is it possible, using a business rule, to reassign a user's direct reports to their manager when they get disabled? For example, User B reports up to User A. User B gets disabled and all of their direct reports automatically get assigned to User A. Thanks

asked Jul 6, 2020 by bavery (250 points)
0 votes
1 answer

Hi, Is there a way I can create a rule based group or scheduled task in which the Direct reports of the direct reports are added to a group? So for example: CEO VP's ... in the list that no longer reports to a manager who reports to the CEO. Thanks in advance

asked Dec 22, 2022 by gareth.aylward (180 points)
0 votes
1 answer

We have the following script we need fixed to run within Adaxes to add true/false value to a customattribute for use in building dynamic distribution lists. $users = ... } else { Set-Mailbox -Identity $user.Name -CustomAttribute8 "Individual contributor" } }

asked Jul 13, 2022 by willy-wally (3.2k points)
0 votes
0 answers

Or would the DLs have to be manually created and rules set up? I'm starting to look into features of the product before demoing, and was hoping there was an easy answer on this one. Thanks

asked Oct 7, 2020 by SIRI-Steele (40 points)
0 votes
1 answer

Hi smart people! I'm using this script: http://www.adaxes.com/script-repository ... t-s423.htm Which works great for sending an email to someone, listing their direct ... body of the email at once would be greatly appreciated! Thanks for any and all replies!

asked Mar 24, 2017 by 3Jake (150 points)
3,589 questions
3,278 answers
8,303 comments
548,107 users