0 votes

I'd like to create a a custom report to show any approval requests (Approved, Pending, and Rejected) for membership in certain AD groups within our domain. These groups grant users elevated rights so we need some way to regularly report out and audit these types of requests. There doesnt seem to be a built-in report that allows for this.

For example, I'd like to generate a report that shows all approval requests submitted any any user for membership in any group with "JIT" (Just In Time) in the name of the group.

Is something like this possible?

by (480 points)
edited by
0

Hello,

Do we understand correctly that the report should contain approval requests that were created when attempting to add members to a specific group no matter of the current request status? What columns should the report contain?

Could you, please, specify what version of Adaxes you are currently using? For information on how to check it, have a look at the following help article: https://www.adaxes.com/help/HowDoI.ManageService.CheckAdaxesServiceVersion.html.

0

Yes ideally we would like to report on any requests regardless of the status of the approval (Approved,Pending,Denied, etc) however if we can only pick one we would want the Approved requests in the report.

As far as columns, we would just want the standard columns already being used in the built-in 'Approved Requests' report. (Name, Initiator, Processed By, Request Date)

Really we just need some way of filtering on the 'Name' column to include only requests to groups that match a certain wildcard string pattern. (JIT)

Let me know if that provides enough information. We are on version 3.12.17423.0

Thanks!

0

Hello,

Thank you for the provided details. Yes, it is possible to have such a report. As for the approval requests status (Approved, Denied, etc.). Do you need a possibility to select it before generating the report or it shold always be the approved requests?

0

To make things simple lts just say that it should always be for approved requests.

1 Answer

0 votes
by (288k points)

Hello,

Thank you for all the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand your service node.
  3. Navigate to Reports\All Reports\Miscellaneous\Approvals.
  4. Right-click the Approved Requests report.
  5. In the context menu, click Copy. image.png
  6. Right-click the container where the new report will be located and then click Paste in the context menu. image.png
  7. Specify a name for the new report and click OK. image.png
  8. Right-click the new report and then click Edit in the context menu. image.png
  9. Activate the Parameters tab.
  10. Remove the Show requests initiated during the last parameter.
  11. Click New.
  12. Select AD object picker and click Next. image.png
  13. Specify a parameter name and display name (e.g. Group). image.png
  14. Click Next.
  15. In the Object Selection section, click Configure. image.png
  16. In the Display only objects that match the following LDAP filter, enter the following: (objectCategory=group) image.png
  17. Click OK and then click Finish.
  18. Activate the Script tab.
  19. Replace the script in the corresponding field with the below one. In the script, the $groupDN variable should contain the value reference with the name of the parameter specified on step 13 and the param- prefix (e.g. "%param-Group%").
$groupDN = "%param-Group%" # TODO: modify me

# Get group guid
$group = $Context.BindToObjectByDN($groupDN)
$groupGuid = $group.Get("objectGUID")

# Build filter
$filter = New-Object "System.Text.StringBuilder"
$filter.Append("(&(objectClass=adm-ApprovalRequest)(adm-ApprovalState=1)(adm-TypeNamesOfOperationToApprove=add group members)")
$filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-TargetObjectGuid", [Guid]$groupGuid))
$filter.Append(")")

# Create a request searcher
$approvalsPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$Context.DirectorySearcher.BaseObjectPath = $approvalsPath
$Context.DirectorySearcher.AppendFilter($filter.ToString())

# Generate report
$Context.Items.Add($Context.DirectorySearcher)
  1. Click OK.
0

Thank you for the instructions. I went though the provided response step by step by am having some issues getting the report to work as intended.

Here's what I've done:

  1. Copied/pasted the existing Approved Requests report and then modified it to pull my desired parameter.

image.png

  1. Copied/pasted the script you provided and modified the variable name to reflect the parameter I created.

image.png

However when I go to run the report I get an error complaining about 'BindToObjectByDN'

I suspect this is because my parameter allows for multiselection and it doesnt like the comma "," value separator I've used.

Additionally, the report appears to be showing 'add group member' requests for groups other than the ones I've specified in my parameter LDAP filter. Why would it be showing approved requests for groups that don't match the "JIT Local Administrator" that ive specified?

Is it possible to have it automatically add all groups that match that LDAP filter parameter to the report by default without having to select them all individually when i want to run it? I've created a Business Object that has all those groups as members which may or may not make this easier.

Lastly, is it possible to add the option to add Date filtering to this report as well? (Last 24 Hours, 7 days, 30 days, etc)

Let me know if this would be easier to work through on a screen share call. I can make myself available most days of the week.

0

Hello,

Yes, that is correct, the script we provided does not work for multiple groups selection. Please, disable the Allow multiple selection option in the parameter settings and try to generate the report. Does it work fine then?

0

Thanks for following up. Yes it seems to work when only a single group is selected. Is there a way to modify it to work with multiple groups? I have about 60 groups in my domain that I would like to show approval information for within a single report.

0

Hello,

Yes, it is possible. Could you, please, specify what other modifications you need to be done if any?

0

No other modifications. Just the ability to be able to run the report against multiple groups at once. Thanks!

0

Hello,

Thank you for the confirmation. Here is the updated script that should be used to generate the report. In the script, we added the $valueSeparator variable that specifies the separator that will be used to distinguish multiple parameter values.

$groupDNs = "%param-Group%" # TODO: modify me
$valueSeparator = ";" # TODO: modify me

# Build filter
$filter = New-Object "System.Text.StringBuilder"
$filter.Append("(&(objectClass=adm-ApprovalRequest)(adm-ApprovalState=1)(adm-TypeNamesOfOperationToApprove=add group members)(|")
foreach ($dn in $groupDNs.Split(";"))
{
    # Get group guid
    $group = $Context.BindToObjectByDN($dn)
    $guid = $group.Get("objectGUID")

    # Add to filter
    $filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("adm-TargetObjectGuid", [Guid]$guid))
}

$filter.Append("))")

# Create a request searcher
$approvalsPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$Context.DirectorySearcher.BaseObjectPath = $approvalsPath
$Context.DirectorySearcher.AppendFilter($filter.ToString())

# Generate report
$Context.Items.Add($Context.DirectorySearcher)

The separator should be the same as in the parameter settings. image.png IMPORTANT: Comma cannot be used as a separator as it is present in distinguished names.

0

Thank you this worked perfectly! I appreciate your assistance with this.

Related questions

0 votes
1 answer

We have four OUs in Active Directory (Pending Deletion, Disabled with Mail Delegates, Disabled with HR Extensions and Disabled_Temp_Leave) that users are moved to prior to their eventual ... past 7 days have been moved to one of 4 of these OUs. Thanks!

asked Jun 3, 2021 by RayBilyk (240 points)
0 votes
1 answer

How to deal with approval requests in a AD and AAD environment? I have recently created a workflow where I log on as a AD user and request to be a member of a AAD group, ... of member works despite the initial request was based on a AD user and not a AAD user.

asked May 2, 2023 by Daniel (160 points)
0 votes
1 answer

If I have 2 Active Directory Security groups in my domain - Group A Group B Is it possible to create a report that shows only users who have membership in both groups? For ... Jane Doe is in Group A AND Group B she would be included in the resulting report.

asked May 11, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is it possible to grant selected user option to add custom license plan (or just subset of its licenses) to given user(s) using web interface?

asked Feb 28, 2023 by KIT (960 points)
0 votes
1 answer

Hello, we create reports for every group in every OU. But what i need is, that the Description is also shown from the group, a user is in. For example: This is how my ... . but what i need is the description of the group. Is this possible? Thank you in advance

asked Oct 5, 2020 by m_st (200 points)
3,542 questions
3,233 answers
8,227 comments
547,808 users