AD Manager / Direct Reports

List all users that have Direct reports

http://www.terminal23.net/2007/11/powershell_and_active_director.html

#List all Managers (AD Accounts with DirectReports)

$StartTime = Get-Date

$objADSearcher = new-object DirectoryServices.DirectorySearcher([ADSI]"")

#Added next line to slightly increase speed

$objADSearcher.SearchRoot = "LDAP://OU=People,DC=blah,DC=com"

$objADSearcher.filter = "(&(objectcategory=person)(objectclass=user))"

$objADSearcher.PageSize = 2000

$objFoundUsers = $objADSearcher.FindAll()

[array]$objADUsers = @()

foreach ($t in $objFoundUsers)

{

if ($t.properties.directreports)

{

$t.properties.name

$objADUsers += $t

}

$StopTime = Get-Date

$ElapsedTime =$StopTime - $StartTime

Write-host "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds"

LDAP Filter

List accounts with a manager but no employeeID set

Get-QADUser -LdapFilter "(&(Manager=*)(!employeeID=*))" -IncludedProperties employeeid | select Name, employeeid, Manager

Import EmployeeID

Import employee number, manager, Department from a export of HR Data

This script is the first step just to get some common and unique value to match AD to HR Data so the obvious thing that should not change is the EmployeeID luckily AD has just such an attribute (It also has "employeeNumber" I just picked one) .

Populate the EmployeeID Attribute
Create a process to get new employees EmployeeID set
1. Possible tool http://www.directory-update.com/Active_Directory_Manager_Overview.aspx
Import HR Data based on matching the Employee ID

1. Note: changed to use EmployeeNumber attribute because this attribute can be hidden from public viewing

########################################################################

# Created with: SAPIEN Technologies, Inc., PrimalForms 2009 v1.1.7.0

# Created on: 3/18/2010 1:42 PM

# Last Modified 7/30/2010

# Created by: Kevin Curran

# Organization: Blah

########################################################################

#manual Update a user

#get-qaduser Username | set-qaduser -ObjectAttributes @{employeeNumber="99999"}

$LogPath="c:\scripts\logs\"

$TranscriptLog = $LogPath + "ImportEmployeeID_" + $(get-date -uformat "%Y-%m-%d") + "_Transcript.log"

Start-Transcript $TranscriptLog

$StartTime = Get-Date

IF (Get-PSSnapin | where {$_.name -eq "quest.activeroles.admanagement"})

{write-host "Quest Active Roles snapin already loaded"}

Else

{add-PSSnapin quest.activeroles.admanagement}

#Data Sample

#EmployeeID,Employee Name,Manager,Manager ID,Department,Employee Status Type

#1234,"Curran, Kevin","Doe, John",5678,810000 - Operations,Active

$ImportFileName='C:\scripts\PowerShell\HR Import\HR Data 2010-03-22.csv'

#Review the export file to find names that where not matched (no DN)

$ExportFileName='C:\scripts\PowerShell\HR Import\HR Data AddDN.csv'

#$Cred = Get-Credential

$HRData = Import-Csv $ImportFileName | where {$_."Employee Status Type" -eq "Active"}

#$NewEmployees =New-Object -TypeName PSCustomObject

$smtpServer = "mail.blah.com"

$To = "Kevin Curran <kcurran@blah.com>"

$From = "AD Reporting <ADReporting@blah.com>"

$message = "Importing Employee IDs into Active Directory `r`n`r`n"

$message = $message + "The importfile: " + $ImportFileName + " was last modified: " + $(gci $ImportFileName).lastwritetime + "`r`n`r`n"

foreach ($Employee in $HRData)

{

#Don't try to import the Employee ID if it already exist in AD

If ($(Get-QADUser -LdapFilter "(employeeNumber=$($Employee."Employee Id"))") -eq $null)

{

#Convert name from "LastName, FirstName" to "FirstName LastName"

$FirstName=$($($Employee."Employee Name".split(","))[1]).trim()

$LastName=$($($Employee."Employee Name".split(","))[0]).trim()

$FullName= $FirstName + " " + $LastName

#Added a filter for only accounts that have email to eliminate "User-Admin" Accounts

#need to test filter accounts that already have a employee id -LdapFilter "(&(mail=*)(!(employeenumber=*)))"

$ADUser=Get-QADUser -LdapFilter "(&(mail=*)(!(employeenumber=*)))" -IncludedProperties employeeNumber $FullName

if ($ADUser -eq $null) {$ADUser=Get-QADUser -LdapFilter "(&(mail=*)(!(employeenumber=*)))" -IncludedProperties employeeNumber $LastName}

if ($ADUser -eq $null) {$ADUser=Get-QADUser -LdapFilter "(&(mail=*)(!(employeenumber=*)))" -IncludedProperties employeeNumber $FirstName}

#The following line only work if there is exactly 1 record for $ADUser search

#otherwise the DN will be blank for zero or multiple matches

$Employee | Add-Member -membertype noteproperty -name DN -Value $($ADUser.DN)

If ($ADUser -eq $null)

{

Write-Host "Cannot find Employee ID $($Employee."Employee Id") Name $FullName `r`n"

$message = $message + "Cannot find Employee ID " + $($Employee."Employee Id") + ", Name" + $FullName + "`r`n`r`n"

}

ElseIF ($($ADUser.DN) -eq $null)

{

Write-Host "No Unique match for $FullName `r`n"

$message = $message + "No Unique match for Employee ID: " + $($Employee."Employee Id") + ", Name: " + $FullName + "`r`n`r`n"

}

Else

{

If ($ADUser.employeeNumber -eq $null)

{

#Set-QADUser -Identity "$($ADUser.DN)" -ObjectAttributes @{employeeNumber=$($Employee."Employee Id")} -credential $Cred

Set-QADUser -Identity "$($ADUser.DN)" -ObjectAttributes @{employeeNumber=$($Employee."Employee Id")}

Write-Host "Updating User: $($ADUser.Name) with employeeNumber: $($Employee."Employee Id") `r`n"

$message = $message + "Updating User: " + $($ADUser.Name) + " with employeeNumber: " + $($Employee."Employee Id") + "`r`n`r`n"

}

Else

#Don't write host if employee ID already set accurately

{

If ($ADUser.employeeNumber -ne $Employee."Employee Id")

{

Write-Host "Not updating employeeNumber for $($ADUser.Name) to $($Employee."Employee Id") it is currently set to $($ADUser.employeeNumber) `r`n"

$message = $message + "Not updating employeeNumber for " + $($ADUser.Name) + " to " + $($Employee."Employee Id") + " it is currently set to " + $($ADUser.employeeNumber) + "`r`n`r`n"

}

Else

{

#write-host "Employee ID already exists"

}

$HRData | Export-Csv $ExportFileName -NoTypeInformation

$StopTime = Get-Date

$ElapsedTime =$StopTime - $StartTime

Write-host "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds `r`n"

$message = $message + "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds `r`n"

Stop-Transcript

#Send Email

Send-MailMessage -From $From -To $To -SmtpServer $smtpServer `

-Subject "ADP employee Number Import" -Body $message -Attachments $TranscriptLog

Import HRData

########################################################################

# Created with: SAPIEN Technologies, Inc., PrimalForms 2009 v1.1.7.0

# Created on: 3/24/2010 3:37 PM

# Last Modified 7/30/2010

# Created by: Kevin Curran

# Organization: Blah

########################################################################

$LogPath="c:\scripts\logs\"

$TranscriptLog = $LogPath + "ImportHRData_" + $(get-date -uformat "%Y-%m-%d") + "_Transcript.log"

Start-Transcript $TranscriptLog

$StartTime = Get-Date

IF (Get-PSSnapin | where {$_.name -eq "quest.activeroles.admanagement"})

{write-host "Quest Active Roles snapin already loaded"}

Else

{add-PSSnapin quest.activeroles.admanagement}

#Data Sample

#EmployeeID,Employee Name,Manager,Manager ID,Department,Employee Status Type

#1234,"Curran, Kevin","Doe, John",5678,810000 - Operations,Active

$ImportFileName='C:\scripts\PowerShell\HR Import\HR Data 2010-03-22.csv'

$Cred = Get-Credential

$HRData = Import-Csv $ImportFileName | where {$_."Employee Status Type" -eq "Active"}

$smtpServer = "mail.blah.com"

$To = "Kevin Curran <kcurran@blah.com>"

$From = "AD Reporting <ADReporting@blah.com>"

$message = "Importing employee managers into Active Directory `r`n`r`n"

$message = $message + "The importfile: " + $ImportFileName + " was last modified: " + $(gci $ImportFileName).lastwritetime + "`r`n`r`n"

foreach ($Employee in $HRData)

{

$ADUser=Get-QADUser -LdapFilter "(&(mail=*)(employeeNumber=$($Employee."employee ID")))" -IncludedProperties employeenumber

#$($Employee."Manager ID") will be blank in the import data if you are the President -CEO

If ($($Employee."Manager ID") -eq "")

{

Write-Host "CEO no manger"

$ADManager = $null

}

Else

{

$ADManager=Get-QADUser -LdapFilter "(&(mail=*)(employeeNumber=$($Employee."Manager ID")))" -IncludedProperties employeenumber

}

#$ADUser.DN will be null if no match is found or more than one match is found

If ($($ADUser.DN) -eq $null)

{

Write-Host "unable to find a User with the EmployeeID $($Employee."employee ID") `"$($Employee."Employee Name")`"`r`n"

$message = $message + "unable to find a User with the EmployeeID: " + $($Employee."employee ID") + " Name: " + $($Employee."Employee Name") + "`r`n`r`n"

}

Elseif ($($ADManager.DN) -eq $null)

{

Write-Host "unable to find a Manager with the EmployeeID $($Employee."Manager ID")`"$($Employee."Manager")`"`r`n"

$message = $message + "unable to find a Manager with the EmployeeID: " + $($Employee."Manager ID") + " Name: " + $($Employee."Manager") + "`r`n`r`n"

}

Else

{

#Update the Manager if it is different from the current value

If ($ADUser.Manager -ne $ADManager.DN)

{

Write-Host "Updating User $($ADUser.Name)($($Employee."employee ID")) with Manager $($ADManager.Name)($($Employee."Manager ID"))`r`n"

$message = $message + "Updating User: " + $($ADUser.Name) + " ID: " + $($Employee."employee ID") + " with Manager: " + $($ADManager.Name) + " ID: " + $($Employee."Manager ID") + "`r`n`r`n"

#Set-QADUser -Identity "$($ADUser.DN)" -Manager "$($ADManager.DN)" -credential $Cred

Set-QADUser -Identity "$($ADUser.DN)" -Manager "$($ADManager.DN)"

}

Else

{

#Write-Host "Manager for $($ADUser.Name)($($Employee."employee ID")) is already set to $($ADManager.Name)($($Employee."Manager ID"))`r`n"

}

$StopTime = Get-Date

$ElapsedTime =$StopTime - $StartTime

Write-host "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds `r`n"

$message = $message + "Script completed in $([Math]::Round($ElapsedTime.TotalSeconds,0)) Seconds `r`n"

Stop-Transcript

#Send Email

Send-MailMessage -From $From -To $To -SmtpServer $smtpServer `

-Subject "Update employee's Manager from HR Data" -Body $message -Attachments $TranscriptLog