Script repository

Password self-service enrollment statistics

Updated on: Jan 18, 2026, Views: 1377

Password self-service, Reports

The script generates a report containing Password self-service enrollment statistics. To execute the script, create a report with corresponding custom columns and parameter. The report must have a scope.

Parameters

  • $reportTypeParameterName - the name of the parameter identifying the type of report. The name should be specified with the param- prefix. Possible parameter values: Enrolled, Not enrolled or All users.
  • $enrolledColumnID - the identifier of the custom column that will contain user enrollment status. If enrolled, the column will also contain the name of the corresponding Password self-service policy. The column should be of Text type. To get the identifier of a custom column:
    • In the Report-specific columns section, on the Columns tab, right-click the custom column.
    • In the context menu, navigate to Copy and click Column ID.
    • The column identifier will be copied to clipboard.
  • $effectivePolicyColumnID - the identifier of the custom column that will contain the name of the Password self-service policy effective for the user. The column should be of Text type.
  • $eventDateColumnID - the identifier of the custom column that will contain the date when the user was enrolled for Password self-service. The column should be of Date/Time type.
  • $enrollmentInvitationColumnID - the identifier of the custom column that will contain the date when enrollment notification was sent to the user. The column should be of Date/Time type.
$reportTypeParameterName = "param-ReportType" # TODO modify me
$enrolledColumnID = "{3ab5f68f-1643-433f-bdad-8458627afb71}" # TODO modify me
$effectivePolicyColumnID = "{dd53cbea-9dec-42dc-9e24-ec5ba3d63920}" # TODO modify me
$eventDateColumnID = "{b78319b3-adf1-4e7a-ae5b-52b79d609f16}" # TODO modify me
$enrollmentInvitationColumnID = "{1e16bd43-032a-4f49-a0f9-b3a9d93275ca}" # TODO modify me

# Get parameter values.
$reportType = $Context.GetParameterValue($reportTypeParameterName)

# Bind to the 'Password Self-Service Statistics' container.
$passwordSelfServiceStatisticsPath = $Context.GetWellKnownContainerPath("PasswordSelfServiceStatistics")
$passwordSelfServiceStatistics = $Context.BindToObject($passwordSelfServiceStatisticsPath)

# Get the enrollment report.
$reportIsBeingGenerated = $True
do
{
    try
    {
        $report = $passwordSelfServiceStatistics.GetReport("ADM_PSSREPORTTYPE_ENROLLMENT")
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -eq "-2147024875")
        {
            # Report is being generated. Wait 10 seconds.
            Start-Sleep -Seconds 10
            continue
        }
        else
        {
            $reportIsBeingGenerated = $False
            $Context.LogMessage($_.Exception.Message, "Error")
            return
        }
    }
    
    if ($report.GenerateDate -lt [System.Datetime]::UtcNow.AddHours(-1))
    {
        $passwordSelfServiceStatistics.ResetReportCache("ADM_PSSREPORTTYPE_ENROLLMENT")
    }
    else
    {
        $reportIsBeingGenerated = $False
    }
}
while ($reportIsBeingGenerated)

# Build the report.
$reportRecords = New-Object System.Collections.ArrayList
$records = $report.Records
for ($i = 0; $i -lt $records.Count; $i++)
{
    if ($Context.Items.Aborted)
    {
        return
    }
    
    $record = $records.GetRecord($i)
    
    # Get user information.
    $userPath = $NULL
    $userDisplayName = $NULL
    $userParentCanonicalName = $NULL
    $userAccountIsEnabled = $NULL
    $userIsEnrolled = $NULL
    $userAccountIsExpired = $NULL
    $userInfo = $record.GetUserInfo([ref]$userPath, [ref]$userDisplayName, [ref]$userParentCanonicalName, 
        [ref]$userAccountIsEnabled, [ref]$userIsEnrolled, [ref]$userAccountIsExpired)
    
    if (($reportType -eq "Enrolled" -and !$userIsEnrolled) -or 
        ($reportType -eq "Not enrolled" -and $userIsEnrolled))
    {
        continue
    }
    
    # Get event date.
    $eventDate = $record.EventDate
    if ($eventDate -eq [DateTime]::MinValue)
    {
        $eventDate = $NULL
    }
    
    # Get policy information.
    $policyPath = $NULL
    $policyName = $NULL
    $policyInfo = $record.GetEnrollmentPolicyInfo([ref]$policyPath, [ref]$policyName)
    
    if ($userIsEnrolled)
    {
        $userIsEnrolled = "Yes ($policyName)"
    }
    else
    {
        $userIsEnrolled = "No"
    }
    
    # Get invitation info
    $successSendDate = New-Object System.Datetime 0
    $errorMessage = $NULL
    $record.GetSendInvitationInfo([ref]$successSendDate, [ref]$errorMessage)
    if ([System.String]::IsNullOrEmpty($errorMessage) -and $successSendDate -ne [Datetime]::MinValue)
    {
        $enrollmentInvitation = $successSendDate
    }
    else
    {
        $enrollmentInvitation = $errorMessage
    }
    
    # Get effective policy information.
    $effectivePolicyPath = $NULL
    $effectivePolicyName = $NULL
    $record.GetEffectivePolicyInfo([ref]$effectivePolicyPath, [ref]$effectivePolicyName)
    
    # Add information to the report.
    $user = $Context.BindToObject($userPath)
    $columnValues = @{
        $enrolledColumnID = $userIsEnrolled
        $effectivePolicyColumnID = $effectivePolicyName
        $eventDateColumnID = $eventDate
        $enrollmentInvitationColumnID = $enrollmentInvitation
    }
    
    $Context.Items.Add($user, $columnValues, $NULL)
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.