0 votes

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be useful for audit/compliance. We would be able to provide evidence that a user was disabled, removed from security groups etc.

I can view the activity in the Logging > Management Activity section but this includes things that weren't part of the disable operation.

Thanks

by (1.3k points)
0

Hello,

This can be done using a Scheduled Task and a PowerShell script. The task will email a report containing the full execution log (names of Business Rules that were triggered and all the actions performed) of the disable operation performed for the user. To avoid duplicate notifications, the task will set a custom Boolean attribute (e.g. CustomAttributeBoolean1) to true for processed users. The execution log can be embedded into the email message body or attached as a text file. Unfortunately, there is no possibility to use a CSV file. Please specify which option meets your needs and we will provide you with detailed instructions. Any additional details regarding the desired report will be much appreciated.

0

Thanks for the reply!

An execution log attached as a text file would be useful, as we could then store that elsewhere.

How would I accomplish this?

0

Hello,

Thank you for the confirmation. For us to provide you with the script and detailed instructions, please, specify the following:

  • What should be done if a log record for disabling a user is not found (e.g. when the user was disabled without using Adaxes)?
  • What should be done if multiple log records for disabling a user are found (i.e. when a user was disabled using Adaxes multiple times)?
  • What should be done if there were no Business Rules triggered when disabling a user?
0
  • What should be done if a log record for disabling a user is not found (e.g. when the user was disabled without using Adaxes)?

Send an email saying "User was disabled but no log was found."

  • What should be done if multiple log records for disabling a user are found (i.e. when a user was disabled using Adaxes multiple times)?

Is it possible to send a separate email for each log record?

  • What should be done if there were no Business Rules triggered when disabling a user?

Send an email saying "User was disabled by Adaxes at timestamp", but don't include the attachment.

0

Hello,

Is it possible to send a separate email for each log record?

Yes, it is possible. Do we understand correctly that a separate email should be sent for each log record each time the task runs for a user? In such cases, you will receive similar notifications multiple times. For example, if a user was disabled twice, you will receive two notifications when the task runs for the user. If the user gets enabled and then disabled again, next time the task runs for them, you will receive 3 notifications and two of them will be absolutely the same as we send during the previous task execution. Does this meet your needs? Or maybe there should be some limit for such cases (e.g. only send the notification for the latest disable operation)?

0

Or maybe there should be some limit for such cases (e.g. only send the notification for the latest disable operation)?

This sounds like a good idea.

An email for only latest disable operation would meet our needs as that is the most relevent.

Thanks!

1 Answer

0 votes
by (194k points)

Hello,

Thank you for the confirmation. To create the Scheduled Task:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Scheduled Task. image.png
  4. On step 3 of the Create Scheduled Task wizard, select the User object type and click Next. image.png
  5. Click Add an action.
  6. Select Run a program or PowerShell script.
  7. Paste the below script into the script field. In the script:
    • $filePath - Specifies the path to the text file that will be created.
    • $removeFile - Specifies whether the text file should be removed after being emailed.
    • $to - Specifies the email address of the notification recipient.
    • $subject - Specifies the email notification subject.
    • $defaultMessage - Specifies the text of the email notification that will be sent when a log record for disabling the user with a non-empty execution log is found.
    • $messageNoLogFound - Specifies the text of the email notification that will be sent when no log records are found for disabling a user.
    • $messageNoExecutionLog - Specifies the text of the email notification that will be sent when the log record for disabling a user has an empty execution log. In the text\, the {0} placeholder will be replaced with the date when the user was disabled.
    • $from - Specifies the email address from which notifications will be sent.
    • $smtpServer -Specifies the SMTP server that will be used to send email notifications.
# File settings
$filePath = "C:\Scripts\MyFile.txt" # TODO: modify me
$removeFile = $True # TODO: modify me

# E-mail settings
$to = "recipient@domain.com" # TODO: modify me
$subject = "Disabled user %fullname%" # TODO: modify me
$defaultMessage = "Disabled user %fullname%" # TODO: modify me
$messageNoLogFound = "User %fullname% was disabled but no log was found." # TODO: modify me
$messageNoExecutionLog = "User %fullname% was disabled by Adaxes at {0}" # TODO: modify me
$from = "noreply@domain.com" # TODO: modify me
$smtpServer = "mail.domain.com" # TODO: modify me

function GetExecutionLog ($logEntryCollection, $executionLog, $tabbing)
{
    $tabbing++
    foreach ($logEntry in $logEntryCollection)
    {
        # Get operation info
        $type = $logEntry.Type
        $message = $logEntry.Message
        $source = $logEntry.Source

        # Build report record
        $messageBuilder = "".PadLeft(4 * ($tabbing - 1))
        if (-not([System.String]::IsNullOrEmpty($source)))
        {
            # Add source to the message
            $messageBuilder += "$source`: "
        }
        $messageBuilder += "$type - $message"
        $messageBuilder = $messageBuilder -replace "`t|`n|`r",""

        # Add message to report
        [void]$executionLog.AppendLine($messageBuilder)

        # Add subentries, if any
        $subEntries = $logEntry.SubEntries
        if ($subEntries.Count -ne 0)
        {
            GetExecutionLog $subEntries $executionLog $tabbing
        }
    }
}

# Get modification log records
$modificationLog = $Context.TargetObject.GetModificationLog()
$log = $modificationLog.Log

# Get the current page of log records
$logRecords = $log.GetPage(0)

# Get information contained in each record
$executionLog = New-Object System.Text.StringBuilder
foreach ($record in $logRecords)
{
    $operationTypes = $record.GetOperationTypes()
    if ($operationTypes -notcontains "disable account")
    {
        continue
    }

    # Get execution log
    GetExecutionLog $record.GetExecutionLog() $executionLog 0
    $completionTime = $record.CompletionTime
    break
}

$parameters = @{
    "To" = $to
    "From" = $from
    "SmtpServer" = $smtpServer
    "Subject" = $subject
}

if ($NULL -eq $completionTime)
{
    $parameters.Add("Body", $messageNoLogFound)
}
elseif ($executionLog.Length -eq 0)
{
    $parameters.Add("Body", [System.String]::Format($messageNoExecutionLog, @($completionTime)))
}
else
{
    $executionLog.ToString() | Out-File $filePath
    $parameters.Add("Body", $defaultMessage)
    $parameters.Add("Attachments", $filePath)
}

# Send report
Send-MailMessage @parameters

if ($removeFile)
{
    # Remove temporary file
    Remove-Item $filePath -Force -ErrorAction SilentlyContinue
}
  1. Enter a short description and click OK. image.png
  2. Right-click the action you created and click Add New Action. image.png
  3. Select Update the user and click Add. image.png
  4. In the Property to modify drop-down, select CustomAttributeBoolean1.
  5. In the New value drop-down, select True. image.png
  6. Click OK twice.
  7. Right-click the action you created and click Add Condition.
  8. Select If If <property> <relation> <value>.
  9. Select If CustomAttributeBoolean1 does not equal True and click OK. image.png
  10. Right-click the action you created and click Add Condition again.
  11. Select If account is enabled / disabled / locked.
  12. Select disabled and click OK. image.png
  13. Click Next and finish creating the Scheduled Task. The task should look like the following: image.png
0

This is great, thanks!

Related questions

0 votes
0 answers

Before Deactivation of an Account on the Webinterface our Help Desk need to change the AD User Description manually. Is it possible to force a manual change before deactivation ?

asked Feb 7, 2020 by lv01 (250 points)
0 votes
1 answer

We used to run AD Audit and it would provide additional details on what was locking a user's account (workstation name, application, etc...). Is there are way with Adaxes ... on what is locking an account? Or a way to pull historical data on locked accounts?

asked Nov 16, 2020 by pulsifers (250 points)
0 votes
1 answer

We have a process that when a new user is created they are emailed their username and apssword. If the user is in an Admin Group they are then sent an email with some PDFs ... you can send emails, but am unable to see where it could attach files to the email?

asked Sep 3, 2020 by dknapp (690 points)
0 votes
1 answer

Hi, I followed this example: https://www.adaxes.com/sdk/IAdmTop6.html, but because the Custom Command is disabled, I get the following error message: System.Management.Automation ... if I enable the Custom Command. I am using Adaxes 2018.2 Best Regards Martin

asked Feb 19, 2020 by Martin (280 points)
0 votes
1 answer

We are testing Windows Autopilot and would still like to use the adaxes client to allow for SSPR. Is it possible to configure the Windows Integration settings on a machine that is not domain joined but is joined through Azure AD?

asked Sep 3, 2020 by scoutcor (850 points)
2,418 questions
2,168 answers
5,842 comments
235,338 users