Report for every Group in specific OU and their Members

Question

Hello dear ADAXES community,

what i wanted to do is, to have a custom report which does the following:

• get every group in a specific OU (the OU comes from an adaxes custom attribute)
• then get all members from every group

my simple trying was to iterate over every group in a given OU with a script like this:

$Groups = Get-ADGroup -Filter * -SearchBase "OU=,OU=,OU=,DC=,DC=,DC="

foreach( $Group in $Groups ){ #looks for members in each group and stores them in Results
    Get-ADGroupMember -Identity $Group | Select distinguishedName | foreach {
        [pscustomobject]@{
            GroupName = $Group.Name
            Name = $_
        }
        $Context.Items.Add($Group.name)
    }
}

is this possible in such a way? thank you for your help

Answer 1

Hello,

There is no need to use scripts. Adaxes has a built-in Members of groups report which does what you are looking for. To include only members of groups from a specific OU, whose Distinguished Name (DN) is stored in a custom attribute of a user generating the report, you need to add a new scope to the report.

For details about report scopes, please take a look at step 3 of this tutorial https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateReport.htm.

On step 1 of the New Scope Item wizard, select Objects in a specific AD location. On step 3, select Specific location and enter a value reference to the custom attribute where the DN of the Organizational Unit is stored, for example: If this is not what you are looking for, please describe the desired workflow in all possible details. Screenshots and live examples would be much appreciated.

Comments

Hello Support4, thank you very much. This is exactly what i searched for!

Just one problem left with the scope in the specific location:

we already use value references with LDAP filters for the webform. this is dynamically created for every user.

so if a user has rights to one ore more OUs, our script will creaty the "adm-customattributetext10" automatically.

for example:

this works fine in the webform, but not in the report!

DN '(|(distinguishedName=OU=XXX,OU=XXX,OU=XXX,DC=xxx,DC=xxx,DC=xxxt))' is invalid.

is there a way we can use the same ldap search filter for the report?

---

Unfortunately, there is no way to make use of the LDAP filter stored in adm-CustomAttributeText10 to define the report scope. The custom attribute has to contain just the distinguished name of a single OU. As a workaround, you can modify your script which generates the LDAP filter and stores it in adm-CustomAttributeText10 to also store the distinguished name of the OU in another custom attribute. Please note, that this approach will work only if the LDAP filter generated by the script contains the DN of one and only one OU.

If there can be more than one OU a user has rights to, your script should be modified to store the DNs of these OUs in a multi-valued attribute, for example, adm-CustomAttributeTextMultiValue11. In this case, the Members of groups report script also has to be severely modified to accommodate for the fact that it has to look for groups in several OUs.

For us to help you implement the desired workflow, please, post here or send us (support[at]adaxes.com) the script that generates the LDAP filter and stores it in adm-CustomAttributeText10.