• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 6700 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deprovisioned user report - performance

joemcnicholas
over 7 years ago

 Hi All

I'm trying to construct a PowerShell report which will give me a list of Users created and deprovisioned in the previous calendar month.

So far, I have it working, but the search for deprovisioned users takes forever (An hour or two - I have 100,000 user objects in AD) using this command:

get-qaduser -SearchAttributes @{edsvaDeprovisionStatus='1'} -SizeLimit 0 -DontUseDefaultIncludedProperties -IncludedProperties userprincipalname,mail,edsvadeprovisionreportxml,edsvaDeprovisionStatus

 

After I get the list of users, I then have to deconstruct the XML report in the edsvadeprovisionreportxml attribute of each user to find the date the Deprovision was requested like this:

[xml]$xml = $_.edsvadeprovisionreportxml
[datetime]$DeprovDate = $xml.report.table.row.sections.section[1].list.item | where {$_.name -eq 'Requested:'} | %{$_.t.date}

 

2 questions:

1 - Can this query be improved for faster performance?  I'm wondering if it's possible to have ARS index the edsvaDeprovisionStatus attribute for better search performance. Maybe different search criteria or syntax?

 

2. Is it possible to search for the deprovision date "natively", or am I stuck with the XML report deconstruction?

 

Thanks

Joe

  • +1 over 7 years ago
    I have a report of sorts that I generate regularly based off the AR transaction history information (data that is used to build object change history).

    This the PoSh code that I used to pull this data:

    # ARSConnection comes from a Connect-QADservice command to the AR server
    # LastWeek is just a calculation of today minus 7 days

    $DeprovisionTransactions = Get-QARSOperation -Connection $ARSConnection -InitiatedAfter $LastWeek -TargetObjectType user -OperationType 'Deprovision'

    There's some more code that I use to further parse what comes back but even if you just took $DeprovisionTransactions and pipe it to 'format-list' you will get a sense of what the data looks like.

    I think this is more efficient than searching your 100K object AD...just saying.
  • +1 over 7 years ago

    The other thing I was going to suggest is to get ActiveRoles to do the work for you in building your list of deprovisioned users. You could create a Managed Unit that has a membership rule / query that searches on edsvaDeprovisionStatus='1'. Then you can use the Managed Unit's distinguished name as your 'SearchRoot' parameter for your Get-QADUser if you still want to use your current approach.