Script Repository


Users enrolled under currently not effective policy

January 29, 2018
604

The script generates and emails a report on users enrolled under a currently not effective Password Self-Service Policy and also not enrolled users.

Note: To schedule the report, create a Scheduled Task configured for the Domain-DNS object type that runs the script and assign it over any of your AD domains. To add the script to a Scheduled Task, use the Run a program or PowerShell script action.

PARAMETERS:

  • $to - specifies a comma separated list of recipients of the report;
  • $subject - specifies the email message subject;
  • $reportHeader - specifies the email message header. In the header, the {0} placeholder will be replaced with the date when the report was generated;
  • $reportFooter - specifies the email message footer.
Edit Remove
PowerShell
$to = "recipient@domain.com" # TODO: modify me
$subject = "Users Enrolled Under Currently Not Effective Policy and Not Enrolled Users" # TODO: modify me
$reportHeader = "<b>Users Enrolled Under Currently Not Effective Policy and Not Enrolled Users. Report generated on: {0} </b><br/><br/>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

# Bind to the container for Password Self-Service Statistics
$passwordSelfServiceStatisticsPath = $Context.GetWellKnownContainerPath("PasswordSelfServiceStatistics")
$passwordSelfServiceStatistics = $Context.BindToObject($passwordSelfServiceStatisticsPath)

# Regenerate the Enrollment Report
$passwordSelfServiceStatistics.ResetReportCache("ADM_PSSREPORTTYPE_ENROLLMENT")
$reportIsBeingGenerated = $True

# Get the Report
do 
{
    try
    {
        $report = $passwordSelfServiceStatistics.GetReport("ADM_PSSREPORTTYPE_ENROLLMENT")
        $reportIsBeingGenerated = $False
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -eq "-2147024875")
        {
            # Report is being generated. Wait 5 seconds
            Start-Sleep -Seconds 5
        }
        else
        {
            $reportIsBeingGenerated = $False
            $Context.LogMessage($_.Exception.Message, "Error")
            return
        }
    }
}
while ($reportIsBeingGenerated)

# Add the date when the report was generated
$reportHeader = $reportHeader -f $report.GenerateDate

# Build report records
$records = $report.Records
$enrolledAccounts = New-Object "System.Text.StringBuilder"
$notEnrolledAccounts = New-Object "System.Text.StringBuilder"

for ($i = 0; $i -lt $records.Count; $i++)
{
    $record = $records.GetRecord($i)
    
    # Get user info
    $userPath = $NULL
    $userDisplayName = $NULL
    $userParentCanonicalName = $NULL
    $userAccountIsEnabled = $NULL
    $userIsEnrolled = $NULL
    $userAccountIsExpired = $NULL
    $userInfo = $record.GetUserInfo([ref]$userPath, [ref]$userDisplayName, [ref]$userParentCanonicalName, 
        [ref]$userAccountIsEnabled, [ref]$userIsEnrolled, [ref]$userAccountIsExpired)
    $eventDate = $record.EventDate

    if ($eventDate -eq [DateTime]::MinValue)
    {
        $eventDate = $NULL
    }
    
    # Get enrollment policy information
    $policyPath = $NULL
    $policyName = $NULL
    $record.GetEnrollmentPolicyInfo([ref]$policyPath, [ref]$policyName)
    
    # Get effective policy information
    $effectivePolicyPath = $NULL
    $effectivePolicyName = $NULL
    $record.GetEffectivePolicyInfo([ref]$effectivePolicyPath, [ref]$effectivePolicyName)

    if ($userIsEnrolled -and 
        ($policyPath -ne $effectivePolicyPath))
    {
        [void]$enrolledAccounts.Append("<tr>")
        [void]$enrolledAccounts.Append("<td>$userDisplayName ($userParentCanonicalName)</td>")
        [void]$enrolledAccounts.Append("<td>$effectivePolicyName</td>")
        [void]$enrolledAccounts.Append("<td>$policyName</td>")
        [void]$enrolledAccounts.Append("</tr>")
    }
    elseif (-not($userIsEnrolled) -and 
        -not([System.String]::IsNullOrEmpty($effectivePolicyName)))
    {
        [void]$notEnrolledAccounts.Append("<tr>")
        [void]$notEnrolledAccounts.Append("<td>$userDisplayName ($userParentCanonicalName)</td>")
        [void]$notEnrolledAccounts.Append("<td>$effectivePolicyName </td>")
        [void]$notEnrolledAccounts.Append("<td>Not Enrolled</td>")
        [void]$notEnrolledAccounts.Append("</tr>")
    }
}

# Build html report
$html = New-Object "System.Text.StringBuilder"
[void]$html.Append($reportHeader)
if ($enrolledAccounts.Length -eq 0 -and
    $notEnrolledAccounts.Length -eq 0)
{
    [void]$html.Append("<b>No users found</b>")
}
else
{
    [void]$html.Append("<table border='1'>")
    [void]$html.Append("<tr>")
    [void]$html.Append("<th>Name</th>")
    [void]$html.Append("<th>Effective Policy</th>")
    [void]$html.Append("<th>Enrollment Policy</th>")
    [void]$html.Append("</tr>")
    
    if ($enrolledAccounts.Length -ne 0)
    {
        [void]$html.Append($enrolledAccounts.ToString())
    }
    
    if ($notEnrolledAccounts.Length -ne 0)
    {
        [void]$html.Append($notEnrolledAccounts.ToString())
    }
    [void]$html.Append("</table>")
}
[void]$html.Append($reportFooter)

# Send the report
$Context.SendMail($to, $subject, $NULL, $html.ToString())


Comments ( 0 )
No results found.
Leave a comment