Find everyone rolling up to me

Yesterday someone asked me to help create a distribution list for everyone reporting to a particular manager (directly or indirectly). Needless to say, that PowerShell makes getting a list of such user accounts a piece of cake!

Here’s the quick script (using AD cmdlets) which I emailed back:

function Get-QADIndirectReport {
param ($Identity)
  # Find all direct reports
  Get-QADUser -Manager $Identity | ForEach-Object {
      # Output direct report
    $_ 
    # Then recursively call this function for all
    # reports of this report
    Get-QADIndirectReport -Identity $_
  }

}

# usage example
Get-QADIndirectReport 'Dmitry Sotnikov'

Basically, AD cmdlets natively can retrieve all direct reports, and I have created a function which keeps going deeper level-by-level getting everyone reporting indirectly as well.

You can then take this a few steps further. For example, say, you want to get a list of users you could then just copy/paste into Outlook. Simply select the Email property from the user objects and ask PowerShell to put semicolon between the addresses:

# get a list of addresses for an email message
(Get-QADIndirectReport 'Dmitry Sotnikov' | 
  Select-Object -ExpandProperty Email) -join '; '

Or you could indeed use the list to populate a group:

# add everyone to a group
Get-QADIndirectReport 'Dmitry Sotnikov' |
  Add-QADGroupMember DmitrysReports

Or you could further restrict the list by City, Department and so on by simply tweaking Get-QADUser parameters in the code above. PowerShell is super-flexible!

My Recent Tweets

I will be presenting at the Incidence Response Planning webinar / live Q&A this coming Thursday, August 4. See you… twitter.com/i/web/status/1… 7 months ago

@JazonTWong @apisecurityio And also the attacker had to test their membership hypothesis for a specific group. Ther… twitter.com/i/web/status/1… 1 year ago

@JazonTWong @apisecurityio They made it lower because the attacker needs to be connected to the victim. However, st… twitter.com/i/web/status/1… 1 year ago

@hakluke apisecurity.io by @apisecurityio 1 year ago

@TheMarkONeill The ToC part of the web page definitely needs some fixing ;) Great report, Mark! (As always) Thanks for sharing! 1 year ago

7 Responses to “Find everyone rolling up to me”

Feed for this Entry Trackback Address

1 Klaus Graefensteiner June 2, 2011 at 12:42 am

I guess you just found a use case for a -recurse or -rollup parameter in the Get-QADuser cmdlet.

Regards,

Klaus

- 2 Dmitry Sotnikov June 2, 2011 at 4:42 am
  
  I guess so… The question is – how common is really this particular use-case to implement it in the cmdlet code as opposed to this quick blog post?
  
  I bet one could probably also create a proxy function, adding a -RecursiveManagedBy parameter…
  
3 Dwayne July 28, 2011 at 11:25 pm

This is good stuff!!

Any idea how i might generate a list of users that have direct reports?

For example: supervisors, managers, directors, VP’s, etc etc.

- 4 Dmitry Sotnikov July 28, 2011 at 11:28 pm
  
  Dwayne,
  
  Yep, see the script here: http://powergui.org/thread.jspa?threadID=16541
  
  Dmitry
  
5 Jarrod Beckman September 8, 2013 at 3:20 am

This is great! How do I “include” get-qadindirectreport in the Quest Powershell command prompt? When I run the script with the .\ in the Quest command line, I don’t seem to be able to invoke get-qadindirectreport. If I run the “PowerGUI script editor” and run it there, then I can… is there a way to get it to run natively in the Quest Activeroles Management shell?

- 6 Dmitry Sotnikov November 21, 2013 at 1:27 am
  
  Just add the Add-PSSnapin to your scripts or PowerShell profile.
  
7 Dkel22 January 7, 2014 at 3:27 pm

Just a quick question, what if I wanted to add a report to this script that would document all the users that our added to the group? Is there an easy way to output the list of users to a file or something as they are added?

Dmitry's Blog: Cloud, PowerShell and beyond