CODEWITHSUNDEEP
powershellactive-directory
Dewey
Dewey

Reputation: 37

How to use Powershell to resursively search user's reporting structure for first enabled manager

Working on an HR project at work to handle user terminations with PS code. Current challenge is to: 1. Test the user account if enabled/disabled. 2. If Disabled, test their manager's SAMAccount if enabled/disabled. 3. Repeat until an account is found enabled 4. Return that account's SAMAccount.

Working code thus far:

$testuser = "johndoe"
If ($(get-aduser $testuser).enabled -eq $true{
$usermgr1 = get-aduser $testuser -properties * | select @{Name='Manager';Expression={(Get-ADUser $_.Manager).SAMAccountName}}
}

The output of the above is formatted as below. I definitely don't want the header either.

Manager
------
JaneDoe

I then tried to expand this to the first test, seeing if the manager's account is enabled or not:

If ($get-aduser $usermgr1).enabled -eq $true) | select @{Name='Manager';Expression={(Get-ADUser $_.Manager).SAMAccountName}}
Else Write-Host "Manager Account  Disabled"
}

This attempt returns an error:

Get-ADUser : Cannot validate argument on parameter 'Identity'. The Identity property on the argument is null or empty.
At line:4 char:18
 + If ($(get-aduser $usermgr1).enabled -eq $true){write-host "Enabled"}

The expected output here is the SAMAccount of this user's manager if enabled; if disabled, I would continue adding more levels to the code up to four or five. I don't yet know enough powershell to loop back and re-test dynamically in order to avoid hardcoding it.

-EDIT-

Using itchydon's example, I opted to limit the recursion at two levels above the target user. The probability of three or more levels all being disabled simultaneously is low. Therefore the working code is:

$testuser = "janedoe"
$user = get-aduser $testuser -properties manager
    if ($user.enabled -eq $false){
    $usermgr1 = get-aduser $user.manager
        if ($usermgr1.enabled -eq $true){Write-Host $usermgr1.SamAccountName}
            else{
            $user1 = get-aduser $usermgr1 -properties manager
            if ($user1.enabled -eq $false){
                $usermgr2 = get-aduser $user1.manager
                if ($usermgr2.enabled -eq $true){
                Write-Host $usermgr2.SamAccountName}
                else{Write-Host "Recursion cannot complete. Handle manually."}
                }
            }
}

-EDIT-

Now with the working code, trying to set mailbox properties with the same logic. What I'm noticing is the set-mailbox command is executing on the first test, regardless if the manager is disabled or not:

if ($user.enabled -eq $false){
            $usermgr1 = get-aduser $user.manager
            if ($usermgr1.enabled -eq $true){
            $mgr1 = $usermgr1.SamAccountName
            $mgr1email = get-aduser $mgr1 -properties EmailAddress
            $mgr1email.emailaddress
            }
        Set-Mailbox $testuser -ForwardingAddress $mgr1email.EmailAddress -DeliverToMailboxAndForward $False
        Set-MailboxAutoReplyConfiguration -identity $testuser -AutoReplyState Enabled -InternalMessage $internal -ExternalMessage $external
        Write-Host $testuser "Completed"
       }
        else{

In this case, the test whether $usermgr1.enabled -eq $true fails, and I would expect the set-mailbox commands to be skipped entirely, moving on to the else{ statement.

I thought it was just a matter of moving the commands inside the test declaration like so:

   if ($user.enabled -eq $false){
            $usermgr1 = get-aduser $user.manager
            if ($usermgr1.enabled -eq $true){
            $mgr1 = $usermgr1.SamAccountName
            $mgr1email = get-aduser $mgr1 -properties EmailAddress
            $mgr1email.emailaddress
            Set-Mailbox $testuser -ForwardingAddress $mgr1email.EmailAddress -DeliverToMailboxAndForward $False
            Set-MailboxAutoReplyConfiguration -identity $testuser -AutoReplyState Enabled -InternalMessage $internal -ExternalMessage $external
            Write-Host $testuser "Completed"
            }
       }
        else{

However, the end result of that when the enabled test passes is that the set-mailbox commands are skipped entirely, and no action is taken at all.

-EDIT- Fixed the mailbox commands problem by leaving variable declarations in their own block like so:

$user = get-aduser $testuser -properties manager
    if ($user.enabled -eq $false){
            $usermgr1 = get-aduser $user.manager
            $mgr1 = $usermgr1.SamAccountName
            $mgr1email = get-aduser $mgr1 -properties EmailAddress}

    if ($usermgr1.enabled -eq $true){
            Set-Mailbox $testuser -ForwardingAddress $mgr1email.EmailAddress -DeliverToMailboxAndForward $False
            Set-MailboxAutoReplyConfiguration -identity $testuser -AutoReplyState Enabled -InternalMessage $internal -ExternalMessage $external
            Write-Host $testuser "Completed"
            }

Upvotes: 0

Views: 852

Answers (1)

Itchydon
Itchydon

Reputation: 2596

I am unable to test this unfortunately but I think this is what you are after.

$testuser = "johndoe"    
$user = get-aduser $testuser -properties manager
if ($user.enabled -eq $true){
    $usermgr1 = get-aduser $user.manager
    if ($usermgr1.enabled -eq $false){
        Write-Host "Manager Account  Disabled"
    }
    else{
        write-host $usermgr1.samaccountname
    }
}

In the above rather than keep doing a get-aduser we do it once for the testuser and save it to a variable ($user). We can then access each property of the object - so we use this to check the enabled status as shown e.g. $user.enabled -eq $true. If true - do another get-aduser for the manager's information using the same technique

Upvotes: 1

Related Questions