{"id":52303,"date":"2009-10-07T03:01:00","date_gmt":"2009-10-07T03:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/10\/07\/hey-scripting-guy-can-i-get-a-list-of-all-users-in-a-domain-without-their-manager-attribute-populated\/"},"modified":"2009-10-07T03:01:00","modified_gmt":"2009-10-07T03:01:00","slug":"hey-scripting-guy-can-i-get-a-list-of-all-users-in-a-domain-without-their-manager-attribute-populated","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-get-a-list-of-all-users-in-a-domain-without-their-manager-attribute-populated\/","title":{"rendered":"Hey, Scripting Guy! Can I Get a List of All Users in a Domain Without Their Manager Attribute Populated?"},"content":{"rendered":"

\"Bookmark<\/a> <\/p>\n

\"Hey,<\/p>\n

Hey, Scripting Guy! I need to get a list of all the users that have set their manager in Active Directory. We have this Web application that allows users to populate information such as their phone number, their office location, and their manager. We actually paid a decent amount of money for this application. The problem is that the users are not going to the Web site to update their information. We have sent out numerous e-mails to all of the users in the company: a spam-like admonishment. I can now confirm that generic reprimands do not have much success in getting users to update their information. What I would like to do is to be able to send a targeted e-mail that says “Hey, {username}, you have not filled out your information.” I know how to write a Windows PowerShell script to send an e-mail (I copied one from the TechNet Script Center Gallery<\/font><\/a>). What I need to do is to retrieve a listing of all the users in the domain that do not have their manager attribute populated. <\/p>\n

— KM<\/p>\n

\"Hey,<\/p>\n

Hello KM, <\/p>\n

Microsoft Scripting Guy Ed Wilson here, you know the problem with weekends? It is not that they are too short; it is that they are too long. I am sore from all the climbing, cleaning, and general pre-winter maintenance work that needs to be done around the house. This included three separate trips to the local home hardware supply store—40 miles round trip (64 kilometers) —and one trip for takeout barbeque<\/font><\/a> to feed the neighbors’ kids. My knees are sore from climbing up and down the extension ladder to clean pine<\/font><\/a> needles from the rain gutters, and my left thumb is cut from the rain gutter itself. Actually I may have just solved my rain gutter problem. On my Bing search for pine needles, I saw that you can make tea from pine needles<\/font><\/a>. If I strip off all the pine needles and make tea, the needles will not clog my rain gutters. (Stay tuned, and I will let you know what pine needle tea tastes like.) <\/p>\n

Needless to say, KM, I am happy to get back to work, so I can get away from all the work the Scripting Wife has lined up for me before winter arrives. If she wanted me to write scripts, I would love her “honey do list,” but it usually involves dragging out a 40 feet (12 meters) extension ladder<\/font><\/a>. I was therefore in my office early this morning, and eagerly opened the scripter@microsoft.com<\/font><\/a> e-mail box when I came across your e-mail. Because your script does not involve climbing, I will gladly write a script to provide you with a list of users that have not populated their managers in Active Directory. <\/p>\n

KM, I wrote the FindUsersWithManagers.ps1 for you to help you find users that already have managers assigned. The complete FindUsersWithManagers.ps1 script is seen here. <\/p>\n

FindUsersWithManagers.ps1]<\/strong><\/p>\n

$domain = “dc=nwtraders,dc=com”
$dse = [adsi]”LDAP:\/\/$domain”
$filter = ‘(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3)(manager=*))’
$searcher = New-Object DirectoryServices.DirectorySearcher ($dse, $filter)
$manager = $null
$searcher.findall() |
ForEach-Object {
[adsi]$_.path
} |
Format-Table -AutoSize -Property name, manager<\/p>\n

<\/font><\/font><\/span><\/p>\n

The first thing the FindUsersWithManagers.ps1 script does is assign the string “dc=nwtraders,dc=com” to the $domain<\/b> variable. This string is the string that represents the NWTraders.Com domain. Each part of the domain name, nwtraders<\/b> and com<\/b>, is separated by “dc=”. You will need to modify this string to match your domain. Remember, each portion of the domain must be separated by “dc=”; therefore, if your domain is Northamerica.NWTraders.Com, you will need to assign the string “dc=northamerica,dc=nwtraders,dc=com” to the $domain<\/b> variable. The first line of code for the FindUsersWithManagers.ps1 script is seen here: <\/p>\n

$domain = “dc=nwtraders,dc=com”<\/p>\n

<\/font><\/span><\/p>\n

The $domain<\/b> variable is passed to the [adsi]<\/b> type accelerator to create a DirectoryEntry<\/b> object. (For more information about the DirectoryEntry<\/b> object, see yesterday’s Hey, Scripting Guy! post<\/a>.)  <\/span>The line of code that creates the DirectoryEntry<\/b> object and stores it in the $dse<\/b> variable is seen here. <\/p>\n

$dse = [adsi]”LDAP:\/\/$domain”<\/p>\n

<\/font><\/span><\/p>\n

The search filter is stored in the $filter<\/b> variable.  <\/span>Hints about search filter syntax can be obtained by using the Active Directory Users and Computers search feature seen here:<\/p>\n

\"Image<\/p>\n

The filter uses the LDAP dialect syntax. The search filter states that the objectCategory<\/b> is equal to person, and the objectSid<\/b> attribute is equal to anything. The manager<\/b> attribute value can also be equal to anything. The &<\/b> character at the beginning of the search filter means that everything will be AND’ed together. The hard part of the query string is the !SamAccountType<\/b> portion seen here:<\/p>\n

!samAccountType:1.2.840.113556.1.4.804:=3<\/p>\n

<\/font><\/span><\/p>\n

The number 1.2.840.113556.1.4.804 means that you want to do a bitwise OR<\/b> operation on the samAccountType<\/b> Active Directory attribute. The 3 at the end of the string, is the number that will be bitwise OR’ed with the samAccountType<\/b> value. <\/p>\n

If the number 1.2.840.113556.1.4.803 had been used, it would mean that you wanted to do a bitwise AND<\/b> operation. These two special numbers are used for LDAP queries and are documented in KB article 269181<\/font><\/a> in the TechNet Knowledge Base. The samAccountType<\/b> attribute is an enumeration that indicates the type of object that is stored in Active Directory (normal user object, basic group object, non-security group object, query group, or other type of object). The enumeration values are documented on MSDN<\/font><\/a>. By performing a bitwise OR<\/b> operation in your search filter, the filter will return true if any bit from the samAccountType<\/b> enumeration has a 3 in it. The samAccountType<\/b> enumerations are seen in Table 1.<\/p>\n

<<\/p>\n

p style=”MARGIN: 3pt 0in” class=”TableNum-Title”>Table 1  <\/span>samAccountType Enumerations<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Enumeration<\/p>\n<\/td>\n

\n

Value<\/p>\n<\/td>\n<\/tr>\n

\n

SAM_DOMAIN_OBJECT <\/p>\n<\/td>\n

\n

0x0 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_GROUP_OBJECT <\/p>\n<\/td>\n

\n

0x10000000 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_NON_SECURITY_GROUP_OBJECT <\/p>\n<\/td>\n

\n

0x10000001 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_ALIAS_OBJECT <\/p>\n<\/td>\n

\n

0x20000000 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_NON_SECURITY_ALIAS_OBJECT <\/p>\n<\/td>\n

\n

0x20000001 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_USER_OBJECT <\/p>\n<\/td>\n

\n

0x30000000 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_NORMAL_USER_ACCOUNT <\/p>\n<\/td>\n

\n

0x30000000 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_MACHINE_ACCOUNT <\/p>\n<\/td>\n

\n

0x30000001 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_TRUST_ACCOUNT <\/p>\n<\/td>\n

\n

0x30000002 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_APP_BASIC_GROUP <\/p>\n<\/td>\n

\n

0x40000000 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_APP_QUERY_GROUP <\/p>\n<\/td>\n

\n

0x40000001 <\/p>\n<\/td>\n<\/tr>\n

\n

SAM_ACCOUNT_TYPE_MAX <\/p>\n<\/td>\n

\n

0x7fffffff<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

The filter is seen here:<\/p>\n

$filter = ‘(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3)(manager=*))’<\/p>\n

<\/font><\/span><\/p>\n

The DirectorySearcher<\/b> object is stored in the $searcher<\/b> variable. This is seen here: <\/p>\n

$searcher = New-Object DirectoryServices.DirectorySearcher ($dse, $filter)<\/p>\n

<\/font><\/span><\/p>\n

The value of $null<\/b> is assigned to the $manager<\/b> variable. This will keep your results from displaying bogus results if the $manager<\/b> variable already exists. The findall<\/b> method returns a searchResult<\/b> object that contains the path to all of the objects that match the search filter. This section of the script is seen here: <\/p>\n

$manager = $null
$searcher.findall() |<\/p>\n

<\/font><\/span><\/p>\n

The ForEach-Object<\/b> cmdlet receives the search results from the findall<\/b> method, and uses the path<\/b> property of the searchResult<\/b> object along with the [adsi]<\/b> type accelerator to create a DirectoryEntry<\/b> object. The DirectoryEntry<\/b> objects are piped to the Format-Table<\/b> cmdlet to display the user name and the associated manager. This section of the script is seen here: <\/p>\n

ForEach-Object {
[adsi]$_.path
} |
Format-Table -AutoSize -Property name, manager<\/p>\n

<\/font><\/span><\/p>\n

When the FindUsersWithManagers.ps1 script is run, the following is displayed on the Windows PowerShell console: <\/p>\n

PS C:> C:Usersadministrator.NWTRADERSDocumentsFindUsersWithManagers.ps1<\/p>\n

name        <\/span>manager
—-        <\/span>——-
{testuser1} {CN=bob,OU=test,DC=NWTraders,DC=Com}
{testuser2} {CN=user Manager,OU=testou,DC=NWTraders,DC=Com}<\/p>\n


PS C:><\/p>\n

<\/font><\/span><\/p>\n

But, KM, you said you wanted a listing of users who had not filled out their manager attribute. To do this, you can use the FindUsersWithOutManagers.ps1 script that I also wrote for you.<\/p>\n

FindUsersWithOutManagers.ps1<\/strong><\/p>\n

$domain = “dc=nwtraders,dc=com”
$dse = [adsi]”LDAP:\/\/$domain”
$filter = ‘(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))’
$searcher = New-Object DirectoryServices.DirectorySearcher ($dse, $filter)
$manager = $null
$searcher.findall() |
ForEach-Object {
 <\/span>[adsi]$_.path |
 <\/span>Where-Object { [string]::IsNullOrEmpty($_.properties.Item(“Manager”)) }
} |
Format-Table -AutoSize -Property name<\/p>\n

<\/font><\/span><\/p>\n

The FindUsersWithOutManagers.ps1 script is very similar to the FindUsersWithManagers.ps1 script. The big difference is the addition of the Where-Object<\/b> filter inside the ForEach-Object<\/b> cmdlet. The Where-Object<\/b> is used to filter out users that have a null or empty value for the Manager<\/b> attribute. A user with a filled-out manager attribute is seen here:<\/p>\n

\"Image<\/p>\n

The Where-Object<\/b> cmdlet uses the static IsNullOrEmpty<\/b> method from the string<\/b> class. If the value that is being tested is null or empty, the IsNullOrEmpty<\/b> static method from the string<\/b> class will return true. If the value being tested is not empty or null, the IsNullOrEmpty<\/b> method will return false. This is illustrated here:<\/p>\n

PS C:> $test = $null
PS C:> [string]::isNullOrEmpty($test)
True
PS C:> $test = “value”
PS C:> [string]::isNullOrEmpty($test)
False
PS C:> $test = “”
PS C:> [string]::isNullOrEmpty($test)
True
PS C:><\/p>\n

<\/font><\/span><\/p>\n

The complete Where-Object<\/b> statement is seen here:<\/p>\n

Where-Object { [string]::IsNullOrEmpty($_.properties.Item(“Manager”)) }<\/p>\n

<\/font><\/span><\/p>\n

When the FindUsersWithOutManagers.ps1 script is run, the following results are returned: <\/p>\n

<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Hey, Scripting Guy! I need to get a list of all the users that have set their manager in Active Directory. We have this Web application that allows users to populate information such as their phone number, their office location, and their manager. We actually paid a decent amount of money for this application. The […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,8,45],"class_list":["post-52303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching-active-directory","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Hey, Scripting Guy! I need to get a list of all the users that have set their manager in Active Directory. We have this Web application that allows users to populate information such as their phone number, their office location, and their manager. We actually paid a decent amount of money for this application. The […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52303"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52303\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}