Script Repository

Recently deleted users with initiator

March 16, 2023 Views: 336
Reports

The script generates a report of recently deleted users with initiator. If a user was deleted outside of Adaxes, the initiator column will be empty. For information on creating reports, see the Create Report tutorial.

Parameters:

  • $whenDeletedColumnID - Specifies the identifier of the custom column that will contain the date when a user was deleted. The column should be of the Date/Time type.
  • $initiatorColumnID - Specifies the identifier of the custom column that will contain the user who deleted the corresponding account. The column should be of the Directory object type.
  • $daysParameterName - Specifies the name of the parameter used to determine the period (in days) to retrieve deleted users for. The name should be specified with the param- prefix.
Edit Remove
PowerShell
# Custom column identifiers
$whenDeletedColumnID = "{a7c2abeb-311c-43d4-98b9-3a7db544f3af}" # TODO: modify me
$initiatorColumnID = "{c0fc451b-a2e6-4a38-9237-5baa7acf8f6d}" # TODO: modify me
$daysParameterName = "param-Days" # TODO: modify me

# Get parameter values
$days = $Context.GetParameterValue($daysParameterName)

$endDate = Get-Date

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdGeneralizedTime =
    [Softerra.Adaxes.Utils.Transform]::ToGeneralizedTime($threshold.ToUniversalTime())

$filterIsDeleted = "(isDeleted=TRUE)"
$filterDeletedAfter = "(whenChanged>=$thresholdGeneralizedTime)"
$filter = "(&" + "(&(objectClass=user)(!(objectClass=computer))(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))" + $filterDeletedAfter + $filterIsDeleted + ")"

# Append the search filter
$Context.DirectorySearcher.AppendFilter($filter)

# Search in deleted objects
$Context.DirectorySearcher.Tombstone = $True

# Add properties necessary to restore objects
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("msDS-LastKnownRDN")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("lastKnownParent")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("whenChanged")

# Generate the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        
        # Get Modification Log for the object
        $obj = $Context.BindToObjectBySearchResult($searchResult)
        $modificationLog = $obj.GetModificationLog()
        $modificationLog.StartDateTime = $threshold
        $modificationLog.EndDateTime = $endDate
        $log = $modificationLog.Log
        $records = $log.GetPage(0)
        
        # Add log records to the report
        $noRecords = $True
        foreach ($record in $records)
        {
            if ($Context.Items.Aborted)
            {
                return
            }
            
            $operationTypes = $record.GetOperationTypes()
            if ($operationTypes -notcontains "delete")
            {
                continue
            }
            
            $clonedSearchResult = $searchResult.Clone($False)
            $Context.Items.Add($clonedSearchResult, @{ $initiatorColumnID = $record.Initiator.AdsPath; $whenDeletedColumnID = $record.CompletionTime }, $NULL )
        }
    }
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers