Script Repository


Users who can reset passwords for themselves

June 07, 2017
817

The script creates and emails a list of users who can reset passwords for themselves. The list includes users who are enrolled for Password Self-Service or fall under a policy that does not require enrollment.

To schedule the report, create a Scheduled Task configured for the Domain-DNS object type.

Parameters:

  • $to - specifies a comma separated list of recipients of the report;
  • $subject - specifies the email message subject;
  • $reportHeader - specifies the email message header;
  • $reportFooter - specifies the email message footer.
Edit Remove
PowerShell
$to = "recipient@example.com" # TODO: modify me
$subject = "Users who can reset passwords for themselves" # TODO: modify me
$reportHeader = "<b>Users who can reset passwords for themselves. Report generated on: {0} </b><br/><br/>" # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

function SearchObjects($filter, $properties)
{
    $searcher = $Context.BindToObject("Adaxes://rootDSE")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SetPropertiesToLoad($properties)
    $searcher.VirtualRoot = $True
    
    try
    {
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

function UpdatePolicyInfos($policyDN, $listItem, $policyInfos, $enrolled)
{
    if (-not($policyInfos.ContainsKey($policyDN)))
    {
        $policy = $Context.BindToObjectByDN($policyDN)
        $listItems = New-Object "System.Text.StringBuilder"
        $policyInfos.Add($policyDN, @{
            "ListItems" = $listItems
            "QuestionsAndAnswersEnabled" = $policy.QuestionsAndAnswersEnabled
            "SmsVerificationEnabled" = $policy.SmsVerificationEnabled
            "PolicyName" = $policy.Get("name")
        })
    }

    $policyInfo = $policyInfos[$policyDN]

    if ($enrolled)
    {
        [void]$policyInfo.ListItems.Append($listItem)
    }

    elseif (-not($enrolled) -and 
        $policyInfo.SmsVerificationEnabled -and
        -not($policyInfo.QuestionsAndAnswersEnabled))
    {
        [void]$policyInfo.ListItems.Append($listItem)
    }
}

# Get the default Web Interface address
$webInterfaceAddress = "%adm-WebInterfaceUrl%"
if ([System.String]::IsNullOrEmpty($webInterfaceAddress))
{
    $Context.LogMessage("Default web interface address not set for Adaxes service. For details, see http://www.adaxes.com/help/?HowDoI.ManageService.RegisterWebInterface.html", "Warning")
}

# Search all enabled and not expired users
$currentDate = (Get-Date).ToFileTimeUtc()
$searchResults = SearchObjects "(&(sAMAccountType=805306368)(|(!(accountExpires<=$currentDate))(accountExpires=0))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" @("ObjectGuid")

$policyInfos = @{}
for ($i = 0; $i -lt $searchResults.Length; $i++)
{
    $searchResult = $searchResults[$i]
    $user = $Context.BindToObject($searchResult.AdsPath)
    
    $enrollmentPolicyDN = $user.EnrollmentPolicyDN
    $guid = [Guid]$searchResult.Properties["objectGuid"].Value
    $displayName = $Context.GetDisplayNameFromAdsPath($searchResult.AdsPath)
    $listItem = "<li><a href='$webInterfaceAddress`ViewObject.aspx?guid=$guid'>$displayName</a></li>"

    if ($enrollmentPolicyDN -ne $NULL)
    {
        UpdatePolicyInfos $enrollmentPolicyDN $listItem $policyInfos $True
    }
    else
    {
        $effectivePolicyDN = $user.EffectivePolicyDN
        if ($effectivePolicyDN -ne $NULL)
        {
            UpdatePolicyInfos $effectivePolicyDN $listItem $policyInfos $False
        }
    }
}

$report = New-Object "System.Text.StringBuilder"
foreach ($item in $policyInfos.GetEnumerator())
{
    $policyInfo = $item.Value
    if ($policyInfo.ListItems.Length -eq 0)
    {
        continue
    }
    
    # Append Password Self-Service Policy name
    $policyName = $policyInfo.PolicyName
    [void]$report.Append("<b>$policyName</b>")
    [void]$report.Append("<ul>")
    [void]$report.Append($policyInfo.ListItems.ToString())
    [void]$report.Append("</ul>")
}

# Add the date when the report was generated
$reportHeader = $reportHeader -f (Get-Date)

# Build the report
if ($report.Length -eq 0)
{
    $html = $reportHeader + "<b>No users found</b>" + $reportFooter
}
else
{
    $html = $reportHeader + $report.ToString() + $reportFooter
}

# Send mail
$Context.SendMail($to, $subject, $NULL, $html)


Comments ( 0 )
No results found.
Leave a comment