Script repository

Users blocked for password self-service

Updated on: Jan 18, 2026, Views: 4556

Password self-service

The script emails the list of users blocked for password self-service. The report will be embedded into the email body. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $to - the comma-separated list of recipients of the report.
  • $subject - the email notification subject.
  • $reportHeader - the email notification header. In the header, the 0 placeholder will be replaced with the date when the report was generated.
  • $reportFooter - the email notification footer.
$to = "recipient@domain.com" # TODO: modify me
$subject = "Users Blocked for Self-Service" # TODO: modify me
$reportHeader = @"
<b>Users Blocked for Self-Service. Report generated on: {0} </b><br/><br/>
<table border="1">
    <tr>
        <th>Name</th>
        <th>Parent</th>
        <th>Policy</th>
        <th>Date/Time</th>
    </tr>
"@ # TODO: modify me
$reportFooter = "<hr /><p><i>Please do not reply to this e-mail, it has been sent to you for notification purposes only.</i></p>" # TODO: modify me

# Bind to the container for Password Self-Service Statistics.
$passwordSelfServiceStatisticsPath = $Context.GetWellKnownContainerPath("PasswordSelfServiceStatistics")
$passwordSelfServiceStatistics = $Context.BindToObject($passwordSelfServiceStatisticsPath)

# Regenerate the Blocked Users Report.
$passwordSelfServiceStatistics.ResetReportCache("ADM_PSSREPORTTYPE_BLOCKEDUSERS")
$reportIsBeingGenerated = $True

# Get the report
do 
{
    try
    {
        $report = $passwordSelfServiceStatistics.GetReport("ADM_PSSREPORTTYPE_BLOCKEDUSERS")
        $reportIsBeingGenerated = $False
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -eq "-2147024875")
        {
            # Report is being generated. Wait 10 seconds
            Start-Sleep -Seconds 10
        }
        else
        {
            $reportIsBeingGenerated = $False
            $Context.LogMessage($_.Exception.Message, "Error")
            return
        }
    }
}
while ($reportIsBeingGenerated)

# Add the date when the report was generated.
$reportHeader = $reportHeader -f $report.GenerateDate

# Add the report entries.
$records = $report.Records
for ($i = 0; $i -lt $records.Count; $i++)
{
    $record = $records.GetRecord($i)
    
    # Get user information
    $userPath = $NULL
    $userDisplayName = $NULL
    $userParentCanonicalName = $NULL
    $userAccountIsEnabled = $NULL
    $userIsEnrolled = $NULL
    $userAccountIsExpired = $NULL
    $userInfo = $record.GetUserInfo([ref]$userPath, [ref]$userDisplayName, [ref]$userParentCanonicalName, 
        [ref]$userAccountIsEnabled, [ref]$userIsEnrolled, [ref]$userAccountIsExpired)
    $eventDate = $record.EventDate
    
    # Get Password Self-Service Policy information.
    $policyPath = $NULL
    $policyName = $NULL
    $policyInfo = $record.GetEnrollmentPolicyInfo([ref]$policyPath, [ref]$policyName)

    $reportHeader += "<td>$userDisplayName</td><td>$userParentCanonicalName</td>$isSuccessfull<td>$policyName</td><td>$eventDate</td></tr>"
}

# Build the report.
$reportHeader += "</table>"
$htmlBody = $reportHeader + $reportFooter

# Send mail
$Context.SendMail($to, $subject, $NULL, $htmlBody)

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.