0 votes

Is there a way to generate a list of disabled accounts that have direct reports?

by (470 points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Update 2018

Starting with version 2018.1 you can create custom reports. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_CreateReport.htm. Also, there is a number of built-in reports including the Subordinates of a user one that can be used to view direct reports of a user. By default, the report is located in container Reports\All Reports\users\Managers and Subordinates.

Original

Hello,

In the next version of Adaxes, Adaxes 2015.1, we'll implement the possibility to build custom reports. Starting from that version, you'll be able to build such a report using Adaxes built-in functionality. Currently, this can be done using PowerShell scripting only. For example, you can use a PowerShell script that builds such a report in the HTML format and sends it by e-mail. Also, you can create a Scheduled Task that runs the script to receive the report on a certain schedule (say, once a month) or create a Custom Command to generate it on demand.

To create a Scheduled Task that generates a report on disabled managers in all domains managed by Adaxes:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

  3. Select the Domain-DNS object type. Running the Task on a domain allows to run the script only once per a Task run.

  4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the Script field.

     $to = "recipient@example.com" # TODO: modify me
    
     function GetObjectDisplayName($objectDN)
     {
         $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath"`
             -ArgumentList @($null, $objectDN)   
         return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName(
             $objectPath, "IncludeParentPath")
     }
    
     # Get the default Web Interface address
     $webInterfaceAddress = "%adm-WebInterfaceUrl%"
     $appendWebInterFaceLink = $True
     if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
     {
         $appendWebInterFaceLink = $False
         $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
     }
    
     $htmlBuilder = New-Object "System.Text.StringBuilder"
     $htmlBuilder.append("<html><head>")
     $htmlBuilder.append("<meta http-equiv=""Content-Type""`
         content=""text/html charset=UTF-8""></head>")
     $htmlBuilder.append("<body>")
     $htmlBuilder.append("<p>Disabled Managers</p>")
     $htmlBuilder.append("<table width=""100%%"" border=""1"">")
     $htmlBuilder.append("<tr>")
     $htmlBuilder.append("<th>Full Name</th><th>Username</th>
     <th>Parent</th><th>Direct Reports</th>")
     if ($appendWebInterFaceLink)
     {
         $htmlBuilder.append("<th>Link</th>")
     }
    
     $htmlBuilder.append("</tr>")
    
     # Find disabled managers
     $searcher = $Context.BindToObject("Adaxes://rootDSE")
     $searcher.PageSize = 500
     $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
     $searcher.SearchFilter = "(&(objectCategory=user)(samAccountName=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
     $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
     $searcher.VirtualRoot = $True
    
     try
     {
         $searchResult = $searcher.ExecuteSearch()
         $disabledManagers = $searchResult.FetchAll()
    
         # Add information on each disabled manager to the report
         if ($disabledManagers.Count -gt 0)
         {
             foreach ($manager in $disabledManagers)
             {
                 $manager = $Context.BindToObject($manager.AdsPath)
                 $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $manager.Get("distinguishedName")
                 $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
                 $htmlBuilder.append("<tr>")
                 $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("name"))
                 $htmlBuilder.appendFormat("<td>{0}</td>", $manager.Get("sAMAccountName"))
                 $htmlBuilder.appendFormat("<td>{0}</td>", $parentDisplayName)
    
                 # Append direct reports
                 $htmlBuilder.append("<td>")
                 foreach ($directReportDN in $manager.GetEx("directReports"))
                 {
                     $directReport = $Context.BindToObjectByDN($directReportDN)
                     $htmlBuilder.appendFormat("{0} ({1})<br />", $directReport.Get("name"), $directReport.Get("sAMAccountName"))
                 }
                 $htmlBuilder.append("</td>")
    
                 if ($appendWebInterFaceLink)
                 {
                     $htmlBuilder.appendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$manager.Get("objectGUID"))
                 }
                 $htmlBuilder.append("</tr>")
             }
         }
    
         $htmlBuilder.append("</table>")
         $htmlBuilder.appendFormat("Total: {0} managers", $disabledManagers.Count.ToString())
         $htmlBuilder.append("</body></html>")
    
         $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
     }
     finally
     {
         $searchResult.Dispose()
     }
    
  5. In the script $to specifies the e-mail address of the recipient to whom the report will be sent. Modify it as necessary.

  6. Add a short description for the script and click OK.

  7. On the 5th step, assign the Scheduled Task over any of your AD domains.

  8. Click Finish.

0

Is there a way to have it not display Employees who are also disabled?

0

Hello,

Yes, there is. Find the following line in the script:

$directReport = $Context.BindToObjectByDN($directReportDN)

Paste the following block after this line:

$userDisabled = $directReport.AccountDisabled
if ($userDisabled)
{
    continue
}
0

Stumbled upon this after looking to achieve something similar.

Is there a way to do this via the GUI now in Admin Console 2015?
Thanks in advance,

0

Hello,

The GUI for this task will appear in Adaxes 2015.1 that will be available later in 2015, most probably, by Q3.

Could you explain in more detail where have you stumbled? We'll help you through.

0

I will look forward to that release, until I bring my power shell up to scratch! :)
When i say 'stumbled' I meant came across this thread via a google search. However..

I've tried the above powershell script, included an email address which exists but the email doesn't arrive. (I know the smtp settings work as I've ran the test settings and other Adaxes email notifications work). The activity history on the scheduled tasks shows no records found which suggests it has never run, even though it is enabled and I've ran it manually.

0

Hello,

Can you post here or send us to our support e-mail (support[at]adaxes.com) a screenshot of your Scheduled Task, including its actions / conditions and Activity Scope?

0

Hello,

The Scheduled Task is configured to be triggered on a Domain-DNS object, which means that it will be triggered on a domain. However, you've specified an Organizational Unit as the Activity Scope of the Scheduled Task. Organizational Units don't contain any domains, thus, the Scheduled Task is never triggered.

As far as we understand from your screenshot, you want the task to generate reports for managers located in a certain OU only. We've modified the script for you. The script will generate the report for the OU on which it is executed. In your Scheduled Task, replace the script that you currently have with the following script:

$to = "recipient@example.com" # TODO: modify me

function GetObjectDisplayName($objectDN)
{
   $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath"`
       -ArgumentList @($null, $objectDN)   
   return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName(
       $objectPath, "IncludeParentPath")
}

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

$htmlBuilder = New-Object "System.Text.StringBuilder"
$htmlBuilder.Append("<html><head>")
$htmlBuilder.Append("<meta http-equiv=""Content-Type""`
   content=""text/html charset=UTF-8""></head>")
$htmlBuilder.Append("<body>")
$htmlBuilder.Append("<p>Disabled Managers</p>")
$htmlBuilder.Append("<table width=""100%%"" border=""1"">")
$htmlBuilder.Append("<tr>")
$htmlBuilder.Append("<th>Full Name</th><th>Username</th>
   <th>Parent</th><th>Direct Reports</th>")
if ($appendWebInterfaceLink)
{
    $htmlBuilder.Append("<th>Link</th>")
}

$htmlBuilder.Append("</tr>")

# Find disabled managers with direct reports
$searcher = $Context.TargetObject
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SearchFilter = "(&(objectCategory=user)(samAccountName=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searchResult = $searcher.ExecuteSearch()
    $disabledManagers = $searchResult.FetchAll()

    # Add information on each manager to the report
    if ($disabledManagers.Count -gt 0)
    {
        foreach ($manager in $disabledManagers)
        {
            $manager = $Context.BindToObject($manager.AdsPath)
            $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $manager.Get("distinguishedName")
            $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
            $htmlBuilder.Append("<tr>")
            $htmlBuilder.AppendFormat("<td>{0}</td>", $manager.Get("name"))
            $htmlBuilder.AppendFormat("<td>{0}</td>", $manager.Get("sAMAccountName"))
            $htmlBuilder.AppendFormat("<td>{0}</td>", $parentDisplayName)

            # Append direct reports
            $htmlBuilder.Append("<td>")
            foreach ($directReportDN in $manager.GetEx("directReports"))
            {
                $directReport = $Context.BindToObjectByDN($directReportDN)
                $htmlBuilder.AppendFormat("{0} ({1})<br />", $directReport.Get("name"), $directReport.Get("sAMAccountName"))
            }
            $htmlBuilder.Append("</td>")

            if ($appendWebInterfaceLink)
            {
                $htmlBuilder.AppendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$manager.Get("objectGUID"))
            }
            $htmlBuilder.Append("</tr>")
        }
    }

    $htmlBuilder.Append("</table>")
    $htmlBuilder.AppendFormat("Total: {0} managers", $disabledManagers.Count.ToString())
    $htmlBuilder.Append("</body></html>")

    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}
finally
{
    $searchResult.Dispose()
}
0

Hello,

I've implemented this script on our system and have added the additional code so it doesn't show direct reports which are disabled.

Is there a way to ensure that disabled manager accounts are not reported on if all direct reports are disabled?

Thanks
Danny

0

Hello Danny,

Here you are.

$to = "recipient@domain.com" # TODO: modify me

function GetObjectDisplayName($objectDN)
{
    $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath" -ArgumentList @($null, $objectDN)
    return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($objectPath, "IncludeParentPath")
}

function SearchObjects($baseObjectPath, $filter, $propertiesToLoad)
{
    $searcher = $Context.BindToObject($baseObjectPath)
    $searcher.PageSize = 500
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchFilter = $filter
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($propertiesToLoad)

    $result = @{}
    try
    {
        $searchResult = $searcher.ExecuteSearch()
        $objects = $searchResult.FetchAll()

        foreach ($objectID in $objects)
        {
            $properties = @{}
            foreach ($propertyName in $propertiesToLoad)
            {
                if ($propertyName -eq "directReports")
                {
                    $values = @()
                    foreach ($value in $objectID.Properties[$propertyName].Values)
                    {
                        $values += $value
                    }
                    $properties.Add($propertyName, $values) | Out-Null
                }
                else
                {
                    $properties.Add($propertyName, $objectID.Properties[$propertyName].Value) | Out-Null
                }

            }
            $result.Add($objectID.AdsPath, $properties)
        }
        return $result
    }
    finally
    {
        $searchResult.Dispose()
    }
}

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
$appendWebInterFaceLink = $True
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $appendWebInterFaceLink = $False
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

$htmlBuilder = New-Object "System.Text.StringBuilder"
$htmlBuilder.Append("<html><head>")
$htmlBuilder.Append("<meta http-equiv=""Content-Type""`
   content=""text/html charset=UTF-8""></head>")
$htmlBuilder.Append("<body>")
$htmlBuilder.Append("<p>Disabled Managers</p>")
$htmlBuilder.Append("<table width=""100%%"" border=""1"">")
$htmlBuilder.Append("<tr>")
$htmlBuilder.Append("<th>Full Name</th><th>Username</th>
   <th>Parent</th><th>Enabled Direct Reports</th>")
if ($appendWebInterfaceLink)
{
    $htmlBuilder.Append("<th>Link</th>")
}

$htmlBuilder.Append("</tr>")

# Find disabled managers with direct reports
$managerFilter = "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(directReports=*))"
$propertiesToLoad = @("directReports", "distinguishedName", "name", "sAMAccountName", "objectGUID")
$disabledManagers = SearchObjects $Context.TargetObject.AdsPath $managerFilter $propertiesToLoad
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$totalManagerCount = 0
foreach ($managerPath in $disabledManagers.Keys)
{
    # Get direct reports

    # Build filter
    $managerProperties = $disabledManagers[$managerPath]
    $filter = New-Object "System.Text.StringBuilder"
    $filter.Append("(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|")
    foreach ($directReportDN in $managerProperties["directReports"])
    {
        $filter.Append([Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $directReportDN)) | Out-Null
    }
    $filter.Append("))")

    # Search enabled direct reports
    $directReports = SearchObjects "Adaxes://$domainName/rootDSE" $filter.ToString() @("name", "sAMAccountName")
    if ($directReports.Count -eq 0)
    {
        continue # Skip manager if all direct reports are disabled
    }

    # Add manager info to the report
    $managerDN = New-Object "Softerra.Adaxes.Ldap.DN" $managerProperties["distinguishedName"]
    $parentDisplayName = GetObjectDisplayName($managerDN.Parent.ToString())
    $htmlBuilder.Append("<tr>")
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["name"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $managerProperties["sAMAccountName"])
    $htmlBuilder.AppendFormat("<td>{0}</td>", $parentDisplayName)

    # Add direct reports to the report
    $htmlBuilder.Append("<td>")
    foreach ($directReportPath in $directReports.Keys)
    {
        $directReportProperties = $directReports[$directReportPath]
        $htmlBuilder.AppendFormat("{0} ({1})<br />", $directReportProperties["name"], $directReportProperties["sAMAccountName"])
    }
    $htmlBuilder.Append("</td>")

    if ($appendWebInterfaceLink)
    {
        $htmlBuilder.AppendFormat("<td><a href='$webInterfaceAddress`ViewObject.aspx?guid={0}'>View</a></td>", [Guid]$managerProperties["objectGUID"])
    }
    $htmlBuilder.Append("</tr>")
    $totalManagerCount++
}

$htmlBuilder.Append("</table>")
$htmlBuilder.AppendFormat("Total: {0} managers", $totalManagerCount)
$htmlBuilder.Append("</body></html>")

if ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}
0

Perfect thank you for the excellent support.

I made a single change to the last line which stops the email if the manager count is 0.

If ($totalManagerCount -ne 0)
{
    $Context.SendMail($to, "[AD Report] Disabled Managers", $NULL, $htmlBuilder.ToString())
}
0

Danny,

That's a good catch! Thank you for the update and for your good words. We really appreciate that.

0

Thanks for your assistance. It took me a little while to figure out why it still wasn't working but I hadn't changed the scheduled task from DomainDNS to OrganisationUnit :lol:

Thanks again!

Related questions

0 votes
1 answer

Is it possible, using a business rule, to reassign a user's direct reports to their manager when they get disabled? For example, User B reports up to User A. User B gets disabled and all of their direct reports automatically get assigned to User A. Thanks

asked Jul 6, 2020 by bavery (250 points)
0 votes
1 answer

We have the following script we need fixed to run within Adaxes to add true/false value to a customattribute for use in building dynamic distribution lists. $users = ... } else { Set-Mailbox -Identity $user.Name -CustomAttribute8 "Individual contributor" } }

asked Jul 13 by willy-wally (3.2k points)
0 votes
0 answers

Or would the DLs have to be manually created and rules set up? I'm starting to look into features of the product before demoing, and was hoping there was an easy answer on this one. Thanks

asked Oct 7, 2020 by SIRI-Steele (40 points)
0 votes
1 answer

Hi smart people! I'm using this script: http://www.adaxes.com/script-repository ... t-s423.htm Which works great for sending an email to someone, listing their direct ... body of the email at once would be greatly appreciated! Thanks for any and all replies!

asked Mar 24, 2017 by 3Jake (150 points)
0 votes
1 answer

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23, 2020 by sirslimjim (430 points)
2,807 questions
2,541 answers
6,615 comments
65,717 users