Officially, our work responsibility doesn't include generating reports. There is supposed to be an entire department dedicated to the task, but they are so horrible at it, I end up making all the reports myself. A prime example of the Reporting Department's incompetence goes like: I was involved in a project that requires moving some folder from server A to server B. The project manager wanted to know what groups were currently granted access to the folder. By getting the members of the groups, he would know who will be affected and subsequently look up their cost centers and find the proper resources to support them on deployment day. He asked Reporting Dept. for the report and they didn't answer him until two weeks later. By then I already generated the report myself. Three days later may be acceptable, a week is a stretch, but two whole weeks later!
I started out using the freeware DumpSec or DumpACL for all my reporting needs. The trouble with DumpSec is it only works for the entire domain, i.e. you run it and you end up with a list of everyone in the domain. So to find out if a given list of usernames contain anyone who has been disabled, I would have to use a query table in MS Access to look them up. Or import the data into Excel and use filtering to find the set of users meeting the current condition. As I made use of KiX, I went further with the GetObject() function, using WinNT as the source. It served me well for a while, but as we now move into ActiveDirectory, GetObject("WinNT:xxx") just doesn't cut it. AD makes use of LDAP and there's so much more info to extract from. Recently, a colleague was tapped to provide for an auditor
basic info for a set of users. The usual fullnames, disabled status, etc. were not an issue, but the auditor also wanted the date the accounts were created. My colleague had to copy one by one for all 200+ users the creation dates. I was pretty sure it was one of the LDAP attribute, but Googling for it yielded nothing. I asked one of our AD expert and sure enough he told me that it's called whenCreated. Sheesh, I used CreationDate, CreatedDate, and a couple variation... how would I know it's called whenCreated? I'll have to look for one of those books that lists all the LDAP attributes. Also, the next great goal I want to reach is to be able to extract LDAP info from Novell 6. Novell calls it eDirectory but deep down it's just plain LDAP, I think. The way everything in NDS has to be tied to the OU is a major annoyance. For instance, I can change password for a number of AD users without having to know their OUs, but with NDS, it's a requirement. If I can somehow, with just a given set of usernames, look up their OUs then feed it to the program that carries out the change, I would be a happy camper.
: )
ReplyDelete