We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Recently deleted users with initiator

March 16, 2023 Views: 395

The script generates a report of recently deleted users with initiator. If a user was deleted outside of Adaxes, the initiator column will be empty. For information on creating reports, see the Create Report tutorial.

Parameters:

  • $whenDeletedColumnID - Specifies the identifier of the custom column that will contain the date when a user was deleted. The column should be of the Date/Time type.
  • $initiatorColumnID - Specifies the identifier of the custom column that will contain the user who deleted the corresponding account. The column should be of the Directory object type.
  • $daysParameterName - Specifies the name of the parameter used to determine the period (in days) to retrieve deleted users for. The name should be specified with the param- prefix.
Edit Remove
PowerShell
# Custom column identifiers
$whenDeletedColumnID = "{a7c2abeb-311c-43d4-98b9-3a7db544f3af}" # TODO: modify me
$initiatorColumnID = "{c0fc451b-a2e6-4a38-9237-5baa7acf8f6d}" # TODO: modify me
$daysParameterName = "param-Days" # TODO: modify me

# Get parameter values
$days = $Context.GetParameterValue($daysParameterName)

$endDate = Get-Date

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdGeneralizedTime =
    [Softerra.Adaxes.Utils.Transform]::ToGeneralizedTime($threshold.ToUniversalTime())

$filterIsDeleted = "(isDeleted=TRUE)"
$filterDeletedAfter = "(whenChanged>=$thresholdGeneralizedTime)"
$filter = "(&" + "(&(objectClass=user)(!(objectClass=computer))(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))" + $filterDeletedAfter + $filterIsDeleted + ")"

# Append the search filter
$Context.DirectorySearcher.AppendFilter($filter)

# Search in deleted objects
$Context.DirectorySearcher.Tombstone = $True

# Add properties necessary to restore objects
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("msDS-LastKnownRDN")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("lastKnownParent")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("whenChanged")

# Generate the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        
        # Get Modification Log for the object
        $obj = $Context.BindToObjectBySearchResult($searchResult)
        $modificationLog = $obj.GetModificationLog()
        $modificationLog.StartDateTime = $threshold
        $modificationLog.EndDateTime = $endDate
        $log = $modificationLog.Log
        $records = $log.GetPage(0)
        
        # Add log records to the report
        $noRecords = $True
        foreach ($record in $records)
        {
            if ($Context.Items.Aborted)
            {
                return
            }
            
            $operationTypes = $record.GetOperationTypes()
            if ($operationTypes -notcontains "delete")
            {
                continue
            }
            
            $clonedSearchResult = $searchResult.Clone($False)
            $Context.Items.Add($clonedSearchResult, @{ $initiatorColumnID = $record.Initiator.AdsPath; $whenDeletedColumnID = $record.CompletionTime }, $NULL )
        }
    }
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers