PowerShell - Who Reports to Whom? (Active Directory recursive DirectReports)

I've been working in the video games industry for a bit more than 3 months now. A lot is going on, and the pace seems faster than regular corporation environment. I also notice a lot of employees movements between teams and projects.

Last week I had an interesting "Quest": To find the list of employees under a specific manager. In Active Directory you can retrieve this information under the property DirectReports.

However if this manager manage other managers... how can I do a recursive search... ?
Sounds like a mission for PowerShell :-)

In the following post, I will use the above diagram as an example to explain how to retrieve the directreports information and show how to find all the "indirect reports.

Get-ADDirectReports function

Get-ADDirectReports is PowerShell function using the ActiveDirectory module to retrieve the directreports property. If the switch parameter -Recurse is used, It will report all the indirectreports users under the -Identity account specified.

As an example, (assuming the above diagram) we can run the following commands:

# Find all direct user reporting to Test_director
Get-ADDirectReports -Identity Test_director

# Find all Indirect user reporting to Test_director
Get-ADDirectReports -Identity Test_director -Recurse

Retrieving the DirectReport Property

Using the MMC Active Directory Users and Computers, this property in under the Organization tab of a user object. For example, here is the information for the Director

Director - DirectReports using PowerShell

# Find all direct user reporting to Test_director

Get-ADUser -Identity test_director -Properties directreports | Select-Object -ExpandProperty DirectReports

Managers - DirectReports

# Find all direct user reporting to Test_managerA

Get-ADUser -Identity test_managerA -Properties directreports | Select-Object -ExpandProperty DirectReports

Translating the output

We can notice that all the values returned are DistinguishedName. You'll need to do some extra work to get more information on those accounts. For example let's say you only want the SamAccountName and Mail properties:

Get-ADUser -Identity test_director -Properties directreports |
    Select-Object -ExpandProperty directreports |
    Get-ADUser -Properties mail |
    Select-Object SamAccountName, mail

Recursive DirectReport

We can now create a small function to loop each time some directreports object are found...

Small version

function Get-ADdirectReports
{
    PARAM ($SamAccountName)
    Get-Aduser -identity $SamAccountName -Properties directreports | %{
        $_.directreports | ForEach-Object -Process {
            # Output the current Object information
            Get-ADUser -identity $Psitem -Properties mail,manager | Select-Object -Property Name, SamAccountName, Mail, @{ L = "Manager"; E = { (Get-Aduser -iden $psitem.manager).samaccountname } }
            
            # Find the DirectReports of the current item ($PSItem / $_)
            Get-ADdirectReports -SamAccountName $PSItem
        }
    }
}

Full version

As a final step we want a flexible function who can return DirectReports and IndirectReports, plus all the nice stuff from PowerShell (Error Handling, Comment Based Help, etc...)

The full version is available below :-)

Download

• Technet Gallery
• GitHub

Thanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.