Introduction:

There are different reports available in IM. But sometimes it may be easier to take data directly out from the provisioning server.
Here is an example of how to list all Global User that does not have a provisioning role assigned.
A Global User without a provisioning role indicates that the user is not currently managed by IM

Instructions:

You will use ldapsearch and list all Global Users that does not have eTRoleDN. Ldapsearch is located in "..\Provisioning Server\bin" directory.
You can also use dxsearch (which is a wrapper around the ldap tools) or any other ldapsearch implementation.

There are two ways to access the provisioning directory. You can go via the provisioning server on port 20389 or you can go directly to the provisioning directory on port 20391.
Going directly is a faster way and for a search that does not need to access data outside provisioning directory this is the preferred way.

To be able to use this, you would need to know the provisioning directory install password.

PROVISIONINGSERVER = hostname of provisioning server
PASSWORD = Provisioning Directory install password
IM_DOMAIN = provisioning domain, default IM

ldapsearch -LLL -h PROVISIONINGSERVER -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -w PASSWORD -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=IM_DOMAIN,dc=etadb" -s sub "(&(objectClass=eTGlobalUser)(!(eTRoleDN=*)))" dn

Additional Information:

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1549845.aspx