Report for Disabled maangers w/ Direct Reports

Question

Is there a way to generate a list of disabled accounts that have direct reports?

Answer 1

Update 2018

Starting with version 2018.1 you can create custom reports. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateReport.htm. Also, there is a number of built-in reports including the Subordinates of a user one that can be used to view direct reports of a user. By default, the report is located in container Reports\All Reports\users\Managers and Subordinates.

Original

Hello,

In the next version of Adaxes, Adaxes 2015.1, we'll implement the possibility to build custom reports. Starting from that version, you'll be able to build such a report using Adaxes built-in functionality. Currently, this can be done using PowerShell scripting only. For example, you can use a PowerShell script that builds such a report in the HTML format and sends it by e-mail. Also, you can create a Scheduled Task that runs the script to receive the report on a certain schedule (say, once a month) or create a Custom Command to generate it on demand.

To create a Scheduled Task that generates a report on disabled managers in all domains managed by Adaxes:

1. Create a new Scheduled Task.

2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

3. Select the Domain-DNS object type. Running the Task on a domain allows to run the script only once per a Task run.
   

4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the Script field.
   

    $to = "recipient@example.com" # TODO: modify me
   
    function GetObjectDisplayName($objectDN)
    {
        $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath"`
            -ArgumentList @($null, $objectDN)   
        return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName(
            $objectPath, "IncludeParentPath")
    }
   
    # Get the default Web Interface address
    $webInterfaceAddress = "%adm-WebInterfaceUrl%"
    $appendWebInterFaceLink = $True
    if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
    {
        $appendWebInterFaceLink = $False
        $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
    }
   
    $htmlBuilder = New-Object "System.Text.StringBuilder"
    $htmlBuilder.append("<html><head>")
    $htmlBuilder.append("<meta http-equiv=""Content-Type""`
        content=""text/html charset=UTF-8""></head>")
    $htmlBuilder.append("<body>")
    $htmlBuilder.append("<p>Disabled Managers</p>")
    $htmlBuilder.append("<table width=""100%%"" border=""1"">")
    $htmlBuilder.append("<tr>")
    $htmlBuilder.append("<th>Full Name</th><th>Username</th>
    <th>Parent</th><th>Direct Reports</th>")
    if ($appendWebInterFaceLink)
    {
        $htmlBuilder.append("<th>Link</th>")
    }
   
    $htmlBuilder.append("</tr>")
   
    # Find disabled managers
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchFilter = "(&(objectCategory=user)(samAccountName=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True
   
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $disabledManagers = $searchResult.FetchAll()
   
        # Add information on each disabled manager to the report
        if ($disabledManagers.Count -gt 0)
        {
            foreach ($manager in $disabledManagers)
            {
                $manager = $Context.BindToObject($manager.AdsPath)
                $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $manager.Get("distinguishedName")
                $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
                $htmlBuilder.append("<tr>")
                $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("name"))
                $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("sAMAccountName"))
                $htmlBuilder.appendFormat("<td>{0}</td>", $parentDisplayName)
   
                # Append direct reports
                $htmlBuilder.append("<td>")
                foreach ($directReportDN in $manager.GetEx("directReports"))
                {
                    $directReport = $Context.BindToObjectByDN($directReportDN)
                    $htmlBuilder.appendFormat("{0} ({1})<br />", $directReport.Get("name"), $directReport.Get("sAMAccountName"))
                }
                $htmlBuilder.append("</td>")
   
                if ($appendWebInterFaceLink)
                {
                    $htmlBuilder.appendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$manager.Get("objectGUID"))
                }
                $htmlBuilder.append("</tr>")
            }
        }
   
        $htmlBuilder.append("</table>")
        $htmlBuilder.appendFormat("Total: {0} managers", $disabledManagers.Count.ToString())
        $htmlBuilder.append("</body></html>")
   
        $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
    }
    finally
    {
        $searchResult.Dispose()
    }
   

5. In the script $to specifies the e-mail address of the recipient to whom the report will be sent. Modify it as necessary.

6. Add a short description for the script and click OK.

7. On the 5th step, assign the Scheduled Task over any of your AD domains.

8. Click Finish.

Comments

Hello,

I've implemented this script on our system and have added the additional code so it doesn't show direct reports which are disabled.

Is there a way to ensure that disabled manager accounts are not reported on if all direct reports are disabled?

Thanks
Danny

---

Hello Danny,

Here you are.

$to = "recipient@domain.com" # TODO: modify me

function GetObjectDisplayName($objectDN)
{
    $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath" -ArgumentList @($null, $objectDN)
    return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($objectPath, "IncludeParentPath")
}

function SearchObjects($baseObjectPath, $filter, $propertiesToLoad)
{
    $searcher = $Context.BindToObject($baseObjectPath)
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchFilter = $filter
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($propertiesToLoad)

    $result = @{}
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        foreach ($objectID in $objects)
        {
            $properties = @{}
            foreach ($propertyName in $propertiesToLoad)
            {
                if ($propertyName -eq "directReports")
                {
                    $values = @()
                    foreach ($value in $objectID.Properties[$propertyName].Values)
                    {
                        $values += $value
                    }
                    $properties.Add($propertyName, $values) | Out-Null
                }
                else
                {
                    $properties.Add($propertyName, $objectID.Properties[$propertyName].Value) | Out-Null
                }

            }
            $result.Add($objectID.AdsPath, $properties)
        }
        return $result
    }
    finally
    {
        $searchResult.Dispose()
    }
}

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
$appendWebInterFaceLink = $True
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $appendWebInterFaceLink = $False
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

$htmlBuilder = New-Object "System.Text.StringBuilder"
$htmlBuilder.Append("<html><head>")
$htmlBuilder.Append("<meta http-equiv=""Content-Type""`
   content=""text/html charset=UTF-8""></head>")
$htmlBuilder.Append("<body>")
$htmlBuilder.Append("<p>Disabled Managers</p>")
$htmlBuilder.Append("<table width=""100%%"" border=""1"">")
$htmlBuilder.Append("<tr>")
$htmlBuilder.Append("<th>Full Name</th><th>Username</th>
   <th>Parent</th><th>Enabled Direct Reports</th>")
if ($appendWebInterfaceLink)
{
    $htmlBuilder.Append("<th>Link</th>")
}

$htmlBuilder.Append("</tr>")

# Find disabled managers with direct reports
$managerFilter = "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
$propertiesToLoad = @("directReports", "distinguishedName", "name", "sAMAccountName", "objectGUID")
$disabledManagers = SearchObjects $Context.TargetObject.AdsPath $managerFilter $propertiesToLoad
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$totalManagerCount = 0
foreach ($managerPath in $disabledManagers.Keys)
{
    # Get direct reports

    # Build filter
    $managerProperties = $disabledManagers[$managerPath]
    $filter = New-Object "System.Text.StringBuilder"
    $filter.Append("(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|")
    foreach ($directReportDN in $managerProperties["directReports"])
    {
        $filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $directReportDN)) | Out-Null
    }
    $filter.Append("))")

    # Search enabled direct reports
    $directReports = SearchObjects "Adaxes://$domainName/rootDSE" $filter.ToString() @("name", "sAMAccountName")
    if ($directReports.Count -eq 0)
    {
        continue # Skip manager if all direct reports are disabled
    }

    # Add manager info to the report
    $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $managerProperties["distinguishedName"]
    $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
    $htmlBuilder.Append("<tr>")
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["name"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["sAMAccountName"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $parentDisplayName)

    # Add direct reports to the report
    $htmlBuilder.Append("<td>")
    foreach ($directReportPath in $directReports.Keys)
    {
        $directReportProperties = $directReports[$directReportPath]
        $htmlBuilder.AppendFormat("{0} ({1})<br />", $directReportProperties["name"], $directReportProperties["sAMAccountName"])
    }
    $htmlBuilder.Append("</td>")

    if ($appendWebInterfaceLink)
    {
        $htmlBuilder.AppendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$managerProperties["objectGUID"])
    }
    $htmlBuilder.Append("</tr>")
    $totalManagerCount++
}

$htmlBuilder.Append("</table>")
$htmlBuilder.AppendFormat("Total: {0} managers", $totalManagerCount)
$htmlBuilder.Append("</body></html>")

if ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}

---

Perfect thank you for the excellent support.

I made a single change to the last line which stops the email if the manager count is 0.

If ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}

---

Danny,

That's a good catch! Thank you for the update and for your good words. We really appreciate that.

---

Thanks for your assistance. It took me a little while to figure out why it still wasn't working but I hadn't changed the scheduled task from DomainDNS to OrganisationUnit :lol:

Thanks again!