0 votes

Hallo @All,

I have a special question.
I think I have tonns of unassigned Security Role assignments and I want to Identify this objects to delete them.

I wrote a script to automatically add these assignments to a Role and this script runs for some weeks and add tonns of assignments that I cant see and the script gives me no errors. At this time Adaxes is so slow, when I click in web interface to create a new user I wait one minute and eleven secounds. :-(

Do anybody know how to identify the zombie assignments?


by (360 points)

Hello Arne,

Did you receive our reply by e-mail? We've replied to you on this matter. Check your inbox and, probably, SPAM folder.

We've assigned the task to our script guys. They will both find a way to remove the duplicating assignments and fix your script. Your issue has been assigned top priority.

1 Answer

0 votes
by (216k points)
selected by
Best answer


The scripts are ready. The below script will clean up Security Role Assignments created by your script. To run it:

  1. Save the script to a file with the .ps1 extension on the computer where Adaxes service is installed. For example, you can name it fixassignments.ps1.

  2. Log on to the computer with credentials of Adaxes default service administrator (the user that you specified when installing the service).

  3. Launch Windows PowerShell. To do this:

    • Press Win+R.
    • Type powershell.exe
    • Press Enter.
  4. In the PowerShell Console, navigate to the folder where you saved the script file. For example, if you saved the file to C:\Scripts, type:

     cd C:\Scripts
  5. Run the script by executing the following line:

     .\fixassignments.ps1 'My Role'


    • fixassignments.ps1 - is the name of the script file that you've created on step 1.
    • My Role - is the name of the Security Role that you are having issues with.

The script:



# Connect to Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Bind to Security Role
$securityRolesPath = $admService.Backend.GetConfigurationContainerPath( `
$securityRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" `
$myRoleAdsPath = $securityRolesPathObj.CreateChildPath( `
$role = $admService.OpenObject($myRoleAdsPath, $NULL, $NULL, 0)

# Get all Assignments
$assignments = $role.Assignments
for ($i = 0; $i -lt $assignments.Count; $i++)
    $assignment = $assignments.GetObject($i)
    for ($j = $assignments.Count - 1; $j -gt $i; $j--)
        # Check Trustee
        $assignmentToCheck = $assignments.GetObject($j)
        if ($assignmentToCheck.Trustee -ne $assignment.Trustee)

        # Compare Activity Scope Items
        foreach ($itemToCheck in $assignmentToCheck.ActivityScopeItems)
            $baseObjectGuidToCheck = [Guid]$itemToCheck.Get("adm-ScopeBaseObjectGuid")
            $addNewItem = $True
            foreach ($item in $assignment.ActivityScopeItems)
                $baseObjectGuid = [Guid]$item.Get("adm-ScopeBaseObjectGuid")
                if (($baseObjectGuidToCheck -eq $baseObjectGuid) -and ($itemToCheck.Inheritance -eq $item.Inheritance) -and ($itemToCheck.Exclude -eq $item.Exclude))
                    $addNewItem = $False
            if (!($addNewItem))

            # Create Activity Scope Item
            $scopeItem = $assignment.ActivityScopeItems.Create()
            $scopeItem.BaseObject = $itemToCheck.BaseObject
            $scopeItem.Type = $itemToCheck.Type
            $scopeItem.Inheritance = $itemToCheck.Inheritance

            $scopeItem.Exclude = $itemToCheck.Exclude


Write-Host "Operation completed"

Also, we've fixed your script file that created the mess, however, since it contains sensitive information, we won't publish it on the form. We've sent it over to you by e-mail. Check your inbox.


many thanks for that reply.
Everything work as designed now.


Related questions

0 votes
1 answer

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (80 points)
0 votes
1 answer

Hi We're running 2018.1 (3.9.15631.0) and I am modifying our security role assignments to use new AD groups. When looking at the role assignments, some are displaying the ... the information. Is there another way to get the full path to the OU? Thanks Matt

asked Aug 28, 2018 by chappers77 (2.0k points)
0 votes
1 answer

Hello, We have a complex multi-domain environment where the Help Desk (and other groups) is assigned variety of rights over certain OUs within a given per-customer OU ... Role for the new AD group. Any assistance with this would be greatly appreciated. Thanks

asked May 28, 2015 by SomeUser (90 points)
0 votes
1 answer

I need to replace one Active Directory security group that has been given rights over many OUs within several Security Roles. There are likely ~300 entries that need ... in the SDK documentation appears to be broken - http://adaxes.com/scriptrepository

asked May 1, 2013 by SomeUser (90 points)
0 votes
1 answer

I have an OU structure as follows: Computers |- Servers |- A |- B |- C Groups |- Computers | |- A Phase 1 | |- A Phase 2 | |- A Phase 3 | |- B Phase 1 | ... as the naming scheme is fairly standard. Is this doable, and if so, can you guide me on the right path?

asked Nov 17, 2023 by bennett.blodinger (60 points)
3,343 questions
3,044 answers
544,953 users