0 votes

Looking for a way to get notified that a deprovisioned user is set as a manager to one or more objects. I would like to have the action check and see if the user is a manager on any objects and notify via email that this user that has been deprovisioned by initiator is a manger on these objects

Thanks for any help

by (1.2k points)
0

Hello,

This will require a script to accomplish. It is possible to create a script that send such an email and execute it as a part of the Custom Command that you use for user deprovisioning. We've assigned our script guys the task to write such a script for you and will get back to you as soon as they come up with something.

0

Hello,

Our script guys want to clarify a couple of things:

  1. What do you mean by 'manager to one or more objects' ? Do you mean the users for whom the deprovisioned user is specified as the manager in the Manager property or the objects (such as a groups and OUs, for example) for which the deprovisioned user is specified in the Managed By property? Or maybe both?
  2. What about levels of subordination? Should the email contain only those objects for which the deprovisioned user is directly assigned as the manager or also objects for which the deprovisioned user is assigned as the manager via membership in certain groups, for example?
0

1. Both. It would be both the users that they manage and the groups that are set with them as the managedby. As the manager of the group, they receive or can receive approval requests when users are added to the group or they can manage it themselves. For certain user accounts, an approval is sent to the manager to approve the extension of the account expiration.
2. Only directly assigned as the manager

Thank you

1 Answer

0 votes
by (216k points)

Hello,

Here's a script that does what you need:

# Email message setings
$to = "recipient@domain.com" # TODO: modify me
$subject = "My Subject" # TODO: modify me
$htmlReportHeader = "<h1><b>Objects Managed by %name%</b></h1><br/>" # TODO: modify me
$htmlReportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

# Get all direct reports
try
{
    $directReports = $Context.TargetObject.GetEx("directReports")
}
catch
{
    $directReports = $NULL
    $subordinates = "The user doesn't have any direct reports.<br />"
}

# Get names of all the direct reports and add them to the report
if ($directReports -ne $NULL)
{
    $subordinates = "<b>Direct Reports:</b><br /><ol>"
    foreach ($directReport in $directReports)
    {
        # Bind to user
        $user = $Context.BindToObjectByDN($directReport)

        # Get username and guid
        $username = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($user, 'IncludeParentPath')
        $userGuid = [Guid] $user.Get("ObjectGuid")

        # Add to report
        $subordinates += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$userGuid'>$username</a></li>"
    }
    $subordinates += "</ol>"
}

# Get all managed objects
try
{
    $managedObjectDNs = $Context.TargetObject.Get("managedObjects")
}
catch
{
    $managedObjectDNs = $NULL
    $managedObjects = "The user doesn't have any managed objects."
}

# Get names of all managed object and add them to the report
if ($managedObjectDNs -ne $NULL)
{
    $managedObjects = "<b>Managed objects:</b><br /><ol>"
    foreach ($managedObjectDN in $managedObjectDNs)
    {
        # Bind to object
        $object = $Context.BindToObjectByDN($managedObjectDN)

        # Get object name and guid
        $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object, 'IncludeParentPath')
        $objectGuid = [Guid] $object.Get("ObjectGuid")

        # Add to report
        $managedObjects += "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$objectGuid'>$objectName</a></li>"
    }
    $managedObjects += "</ol>"
}

# Build the report
$htmlBody = $htmlReportHeader + $subordinates + $managedObjects + $htmlReportFooter

# Send mail
$Context.SendMail($to, $subject, $NULL, $htmlBody)

In the script, modify the following to meet your requirements:

  • $to - specifies the notification recipient,
  • $subject- specifies the e-mail message subject,
  • $htmlReportHeader - specifies the report header (text before the list of managed objects),
  • $htmlReportFooter - specifies the report header (text after the list of managed objects).

To create lists of managed objects automatically when deprovisioning users, you need to modify the Custom Command that you use for deprovisioning as follows:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand the service node that represents your Adaxes service.
  3. Navigate to and select the the Custom Command that you use for deprovisioning. The actions and conditions of the Custom Command will be displayed in thew Result Pane (located to the right).
  4. Right-click an action that is always executed and select Add New Action.

    If all of the actions are executed only when certain conditions are met, right-click below all the actions and conditions, and then click Add Action to New Set.
  5. Select the Run a program or PowerShell script action.
  6. Paste the above script in the Script field.
  7. Enter a short description for the script and click OK.
  8. Save the Custom Command.

Related questions

0 votes
0 answers

Hello there, We have guest accounts created in AD (on our DMZ DC) that use the first initial + last name format for username with the last 4 digits of their mobile ... there any special way I should be updating a username and UPN from PowerShell? Thanks, Chris

asked Jul 13, 2018 by Bowman4864 (270 points)
0 votes
1 answer

Hi again, My user object creation process use many business rules, one of these moving the object to the right container according to somme attributes. The problem is that sometimes, ... . I run the latest version of Adaxes (3.2.7831). Thanks for your help

asked Feb 10, 2012 by sroux (800 points)
0 votes
1 answer

What permissions does a Trustee (Specifically a Manager or Owner) need over a Managed Object to make it visible in their My managed objects? The Trustee can view their ... missing read permissions of specific attributes, which are the minimum I need to allow?

asked Nov 2, 2023 by Viajaz (210 points)
0 votes
1 answer

I would like the HR to be able to set the date of deprovision User. So that it's executed on set date and not on command. I Tryed with parameter (Date/Time picker) ... it possible with custom command or do i have to make Scheduled Task with (Date/time picker)?

asked Jan 20, 2021 by Sandberg94 (340 points)
0 votes
1 answer

Hello, is it possible somehow to export deprovisioned user"s OneNote full notebook in mht format to server share? It is one step in our deprovisioning process. Thank you.

asked Dec 14, 2020 by the7thever (50 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users