I want to search for all disabled users where "extensionAttribute11" = "employee"
Is this possible?
I want to search for all disabled users where "extensionAttribute11" = "employee"
Is this possible?
Just to be clear on what you need:
You want a search for all transactions where a user account was disabled and the extensionattribute11 of that user equals the string "employee".
The challenge is that Change Auditor doesn't store the contents of extensionattribute11 for any user except for the case where a transaction involves the attribute being modified.
So you would probably have to compile your "report" in two steps:
1) Generate a Search for all account disable transactions
2) Take the list of usernames that you get from that and check each one's extensionattribute11 (EA11) in Active Directory.
I would approach this task with a Powershell script that would combine extracting the Change Auditor data and then performing the EA11 lookup.
Information on performing searches with Powershell may be found here
For querying AD, you would just use the native Active Directory cmdlets. So probably Get-ADUser.
If you come up with some code and it doesn't quite get you what you need, feel free to post it here and someone like me will give you a hand.
Thank you, I appreciate you taking the time to respond. I can manage the query in Powershell, but I was looking to create a smart alert from CA that would notify me anytime a user with that attribute set to that value was disabled.
My pleasure. The challenge is that within the Change Auditor UI, there is no way to build a filter on that attribute because it's not being stored for every user and thus not available in the Who/What/Where tabs nor on the "Layout" tab for the Search.
Now, what you could do is modify the actual SQL code for the Search (exposed on the SQL tab) and shoehorn in some code in there that would fetch the attribute from AD on the fly and check for your value. This would slow down the execution of the search. You would have to test to see whether it's worth the performance hit.
Another idea popped into my head - do you have an AD group that contains all people identified as employees via EA11? If you do then you could use the fact that the user being disabled is a member of that group to scope them into the search results.
Doh! That's an excellent idea. I don't currently have them in that group, but would be really easy to do and enforce with ARS. Thank you!!!