Script repository
The script generates a report of recently deleted users with initiator. If a user was deleted outside of Adaxes, the initiator column will be empty. To execute the script, create a report with corresponding custom columns and parameters.
The report requires a scope. When generating the report, only a domain or Everywhere can be selected to search in.
Parameters
$whenDeletedColumnID- the identifier of the custom column that will contain the date when a user was deleted. The column should be of the Date/Time type. To get the identifier of a custom column:- In the Report-specific columns section, on the Columns tab, right-click the custom column.
- In the context menu, navigate to Copy and click Column ID.
- The column identifier will be copied to clipboard.
$initiatorColumnID- the identifier of the custom column that will contain the user who deleted the corresponding account. The column should be of the Directory object type.$daysParameterName- the name of the parameter used to determine the period (in days) to retrieve deleted users for. The name should be specified with the param- prefix.$parentToCheckParameterName- the name of the parameter used to determine the last known OU of the deleted users. The name should be specified with the param- prefix. The parameter must of the Directory object picker type.
# Custom column identifiers.
$whenDeletedColumnID = "{e148141d-755f-4bc8-bf40-6e5f1cfc44ad}" # TODO: modify me
$initiatorColumnID = "{d69bd562-5ba2-4302-90da-02d27d4bd8a7}" # TODO: modify me
$daysParameterName = "param-days" # TODO: modify me
$parentToCheckParameterName = "param-lastParent" # TODO: modify me
# Get parameter values.
$days = $Context.GetParameterValue($daysParameterName)
$parentDNToCheck = $Context.GetParameterValue($parentToCheckParameterName)
# Build search criteria.
$endDate = Get-Date
$threshold = (Get-Date).AddDays(- $days)
$thresholdGeneralizedTime =
[Softerra.Adaxes.Utils.Transform]::ToGeneralizedTime($threshold.ToUniversalTime())
$criteria = New-AdmCriteria "User" -Expression {whenChanged -gt $thresholdGeneralizedTime -and isDeleted -eq $true}
# Append the search criteria.
$Context.DirectorySearcher.AddCriteria($criteria)
# Search in deleted objects.
$Context.DirectorySearcher.Tombstone = $True
# Add properties necessary to restore objects.
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("msDS-LastKnownRDN")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("lastKnownParent")
$Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("whenChanged")
# Generate the report
try
{
$searchIterator = $Context.DirectorySearcher.ExecuteSearch()
while ($Context.MoveNext($searchIterator))
{
$searchResult = $searchIterator.Current
# Check last known parent.
$lastKnownParent = $searchResult.GetPropertyByName("lastKnownParent").Values[0]
if ($parentDNToCheck -ne $NULL -and $lastKnownParent -ne $parentDNToCheck)
{
continue
}
# Get Modification Log for the object.
$obj = $Context.BindToObjectBySearchResult($searchResult)
$modificationLog = $obj.GetModificationLog()
$modificationLog.StartDateTime = $threshold
$modificationLog.EndDateTime = $endDate
$log = $modificationLog.Log
$records = $log.GetPage(0)
# Add log records to the report.
$noRecords = $True
foreach ($record in $records)
{
if ($Context.Items.Aborted)
{
return
}
$operationTypes = $record.GetOperationTypes()
if ($operationTypes -notcontains "delete")
{
continue
}
$clonedSearchResult = $searchResult.Clone($False)
$Context.Items.Add($clonedSearchResult, @{ $initiatorColumnID = $record.Initiator.AdsPath; $whenDeletedColumnID = $record.CompletionTime }, $NULL )
}
}
}
finally
{
# Release resources.
if ($searchIterator) { $searchIterator.Dispose() }
}
Comments 0
You must be signed in to comment.