0 votes

If a user is disabled, I would like the following process to be automated:

  1. Direct reports of this disabled user (user A) are reassigned to new active user (user B) who would have the same job title as User A
  2. with conditions, that 'same job title' is unique to User B & that User B is active
  3. If 'same job title' is not unique then the direct reports of User A will be assigned to User A's manager
  4. Mail is sent to User A manager indicating direct reports have been transferred to User B or to User A's manager
  5. Mail is sent to User B indicating User As direct reports have been transferred to User B
by (60 points)
0

Hello,

For us to help you with a solution, pelase, specify the following:

  • How exactly should User B be determined?
  • What exactly do you mean by same job title is unique? Should the two users just have the same job title?

Any additional details will be much appreciated.

0

Hi,

  • User B will be identified by having the same job title as the now deactivated user A
  • yes, an example would be the 'manager of operations' leaves & a new person starts with the same job title. I'd like all direct reports to be moved to the new 'manager of operations'
0

Hello,

Thank you for clarifying. What should be done in case if there is no account found with the same Job Title or more than one found?

0

Hi,

  • If 'same job title' is not unique or more than one job title is found then the direct reports of User A will be assigned to User A's manager

Regards

0

Hello,

What should happen in case if the user being disabled does not have a manager specified?

0

Hi, if there's no manager, then an email is sent to IT-helpdesk. Cheers Ben

0

Hello Ben,

Thank you for specifying. Let us summarize the workflow. When a user is disabled and they have direct reports, the following will be automatically done by Adaxes:

  • There will be a search performed for another enabled account with the same Job Title.
  • If none or more than one account is found, all direct reports of the user will be transferred to their manager. Both the user and the manager will receive corresponding emails. If there is no manager specified for the user an email will be sent to the predefined address and nothing will be done for direct reports.
  • If a single enabled account with the same job title is found, all the direct reports of the user will be transferred to the account. After that an email will be sent to the user being disabled and the one gaining direct reports.
  • In case when any of the recipients (e. g. new manager) does not have an email address, the corresponding notification will be sent to IT-helpdesk.

Is that correct?

0

thanks I updated the last paragraph of your summary:

When a user is disabled and they have direct reports, the following will be automatically done by Adaxes:

  • There will be a search performed for another enabled account with the same Job Title.
  • If none or more than one account is found, all direct reports of the user will be transferred to their manager.
  • If there is no manager specified for the user an email will be sent to the predefined address and nothing will be done for direct reports.
  • If a single enabled account with the same job title is found, all the direct reports of the user will be transferred to the account.
  • After that an email will be sent to the users manager being disabled and the one gaining direct reports.
0

Hello Ben,

Thank you for the update. This can be done using a script in a business rule triggering After disabling a user. For us to write the script, please, provide samples for all the three email notifications (sent to the manager being disabled, manager gaining subordinates and IT-helpdesk). If values of specific properties need to be present in the emails, please, point that out explicitly. You can post the samples here or send them to support@adaxes.com.

1 Answer

+1 vote
by (270k points)
selected by
Best answer

Hello Ben,

Thank you for the provided details. Below is the script to perform the direct reports transfer. It should be executed in a business rule triggering After disabling a user on the condition that the user has direct reports. image.png In the script:

  • $helpDeskEmail – Specifies the helpdesk email address.
  • $noEmailSubjectTemplate – Specifies a template for the subject of the email notification that will be sent to helpdesk in case any of the required recipients has no email address specified. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
  • $noEmailNotificationTemplate – Specifies a template for the email notification that will be sent to helpdesk in case any of the required recipients has no email address specified. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
  • $userManagerSubject – Specifies the subject of the email notification that will be sent to the leavers manager if they gain direct reports.
  • $userManagerEmailNotification – Specifies the email notification that will be sent to the leavers manager if they gain direct reports.
  • $noManagerSubject – Specifies the subject of the email notification that will be sent to helpdesk in case the leavers manager should gain direct reports, but there is no manager specified.
  • $norManagerEmailNotification – Specifies the email notification that will be sent to helpdesk in case the leavers manager should gain direct reports, but there is no manager specified.
  • $successSubjectTemplate – Specifies a template for the subject of the email notification that will be sent to the leaver and the manager with unique Job Title when the latter gains direct reports. In the template, the {0} placeholder will be replaced with the username of the account gaining direct reports from the leaver.
  • $successEmailTemplate – Specifies a template for the email notification that will be sent to the leaver and the manager with unique Job Title when the latter gains direct reports. In the template, the {0} and {1} placeholders will be replaced with the username of the account gaining direct reports from the leaver.
$helpDeskEmail = "recipient@domain.com" # TODO: modify me

# Recipient has not email address settings
$noEmailSubjectTemplate = "No email address specified for %username% or {0}" # TODO: modify me
$noEmailNotificationTemplate = @"
Dear helpdesk

%username% or {0} does not have a valid email associated to one or both of these accounts. Could you please investigate.
"@ # TODO: modify me

# Target user manager mail settings
$userManagerSubject = "%username% Direct reports have been transferred to you"  # TODO: modify me
$userManagerEmailNotification = @"
Dear %adm-ManagerUserName%,

The direct reports of %username% have been transferred to you and should be manually re-assigned in IAM to %username%’s replacement. 

Regards
IT
"@ # TODO: modify me

# Target user has no manager
$noManagerSubject = "No manager specified for %username%" # TODO: modify me
$norManagerEmailNotification = @"
Dear Helpdesk,

The user: %username% has recently been deactivated, however there is no recorded manager in AD for this user therefore the direct reports of %username% cannot be automatically transferred to the replacement of %username%. Please can you identify the manager of %username% and update the information.

Regards
"@ # TODO: modify me

# New manager with same title settings
$successSubjectTemplate = "Direct reports have successfully been transferred to {0} account" # TODO: modify me
$successEmailTemplate = @"
Dear %adm-ManagerUserName% and {0}

The direct reports of %username% have successfully been automatically transferred to {1} Please confirm that the list of direct reports is correct and that no further action needs to be performed.
"@  # TODO: modify me

function UpdateManager($newManagerDN)
{
    $redirectReportDNs = $Context.TargetObject.GetEx("directReports")

    foreach ($redirectReportDN in $redirectReportDNs)
    {
        $directReport = $Context.BindToObjectByDN($redirectReportDN)
        $directReport.Put("manager", $newManagerDN)
        $directReport.SetInfo()
    }
}

# Search parameters
$searcher = $Context.BindToObject("Adaxes://rootDSE")
$filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", "%distinguishedName%")
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(title=%title%)(!$filterPart))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SizeLimit = 2
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()    
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

if ($searchResults.Length -eq 1)
{
    $newManager = $Context.BindToObjectBySearchResult($searchResults[0])
    $newManagerDN = $newManager.Get("distinguishedName")
    UpdateManager $newManagerDN

    # Get new manager email
    try
    {
        $managerEmail = $newManager.Get("mail")
    }
    catch
    {
        $managerEmail = $NULL
    }

    # Send mail
    $managerUsername = $newManager.Get("sAMAccountName")
    if ((-not([System.String]::IsNullOrEmpty($managerEmail))) -and (-not([System.String]::IsNullOrEmpty("%mail%"))))
    {        
        $subject = [System.String]::Format($successSubjectTemplate, @($managerUsername))
        $message = [System.String]::Format($successEmailTemplate, @($managerUsername, $managerUsername))
        $Context.SendMail("$managerEmail, %mail%", $subject, $message, $NULL)
    }
    else
    {
        $subject = [System.String]::Format($noEmailSubjectTemplate, @($managerUsername))
        $message = [System.String]::Format($noEmailNotificationTemplate, @($managerUsername))
        $Context.SendMail($helpDeskEmail, $subject, $message, $NULL)
    }
}
elseif (-not([System.String]::IsNullOrEmpty("%manager%")))
{
    UpdateManager "%manager%"

    # Send mail
    if ((-not([System.String]::IsNullOrEmpty("%adm-ManagerEmail%"))) -and (-not([System.String]::IsNullOrEmpty("%mail%"))))
    {        
        $Context.SendMail("%adm-ManagerEmail%, %mail%", $userManagerSubject, $userManagerEmailNotification, $NULL)
    }
    else
    {
        $subject = [System.String]::Format($noEmailSubjectTemplate, @("%adm-ManagerUserName%"))
        $message = [System.String]::Format($noEmailNotificationTemplate, @("%adm-ManagerUserName%"))
        $Context.SendMail($helpDeskEmail, $subject, $message, $NULL)
    }

}
elseif ([System.String]::IsNullOrEmpty("%manager%"))
{
    # Send mail
    $Context.SendMail($helpDeskEmail, $noManagerSubject, $norManagerEmailNotification, $NULL)

}
0

Dear Adaxes, once again many thanks for this! I'm just going through the script and to make this as automatic as possible, I'm trying to understand the sections where you have mentioend "# TODO: modify me" I believe this relates to the sections of the mail that should be variables e.g. %username%.

Would there be any way to automate the creation of the mail template with the correct usernames for the leavers manager and the leaver?

Regards Ben

0

Hello Ben,

Unfortunately, there is no such possibility. The templates need to be manually entered into the corresponding variables. As for the usernames in the templated, some are added using value references (e.g. %username%, %adm-ManagerUserName%) and some are identified using placeholders (e.g. {0}) and then replaced with corresponding values (e. g. username of the account with the required Job Title).

Related questions

0 votes
0 answers

Good Afternoon, I'm looking for some clarification on what security settings I would need to apply to the Self-Service Users to allow them to update both their own ... accounts they have full access to. Please let me know if this requires more clarification.

asked Jul 22, 2021 by jtop (680 points)
0 votes
1 answer

Hi, Is there a way I can create a rule based group or scheduled task in which the Direct reports of the direct reports are added to a group? So for example: CEO VP's ... in the list that no longer reports to a manager who reports to the CEO. Thanks in advance

asked Dec 22, 2022 by gareth.aylward (180 points)
0 votes
1 answer

Is it possible, using a business rule, to reassign a user's direct reports to their manager when they get disabled? For example, User B reports up to User A. User B gets disabled and all of their direct reports automatically get assigned to User A. Thanks

asked Jul 6, 2020 by bavery (250 points)
0 votes
1 answer

Hi! I want to setup a scheduled action to send out a email once per week of what users each of our managers has as direct reports with a link to create a email to our ... want the opposite .... https://www.adaxes.com/script-repositor ... s-s219.htm /Kaj

asked Jan 30, 2019 by KajLehtinen (650 points)
0 votes
1 answer

We have the following script we need fixed to run within Adaxes to add true/false value to a customattribute for use in building dynamic distribution lists. $users = ... } else { Set-Mailbox -Identity $user.Name -CustomAttribute8 "Individual contributor" } }

asked Jul 13, 2022 by willy-wally (3.2k points)
3,326 questions
3,026 answers
7,727 comments
544,678 users