0 votes

For licensing purposes is it possible to restrict users displayed in Adaxes based on an OU rather than individual accounts?

by (3.8k points)

1 Answer

0 votes
by (215k points)

Hello,

There is no support for such functionality in the user interface, but you can do this with PowerShell scripts. For example, you can create a PowerShell script that will add users from specific OUs to unmanaged accounts. Then, you can use this script in a Scheduled Task using the Run a program or PowerShell script action to launch it automatically so that if you add/remove users from the OUs that you specify, corresponding changes would be made to the list of unmanaged accounts automatically.

To implement such a solution:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

  3. Select the Domain-DNS object type.

  4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the script field.

     $ouDNs = @("OU=MAC Auth Accounts,OU=IT,DC=company,DC=com") # TODO: modify me
    
     function GetUserSids($ouDNs)
     {
         $userSids = New-Object "System.Collections.Generic.List[String]"
    
         foreach ($ouDN in $ouDNs)
         {
             $ou = $Context.BindToObjectByDN($ouDN)
    
             $userSearcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
             $userSearcher.SearchParameters.BaseObjectPath = $ou.AdsPath
             $userSearcher.SearchParameters.PageSize = 500
             $userSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
             $userSearcher.SearchParameters.Filter = "(&(objectCategory=person)(objectClass=user))"
             $userSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
             $userSearcher.SetPropertiesToLoad(@("objectSid"))
    
             $searcherResult = $userSearcher.ExecuteSearch()
    
             foreach ($user in $searcherResult.FetchAll())
             {
                 $sidBytes = $user.Properties["objectSid"].Value
                 $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    
                 $userSids.Add($sid.ToString()) | Out-Null
             }
          }
    
          return ,$userSids
     }
    
     $userSids = GetUserSids $ouDNs
    
     $configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
     $admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
    
     $admConfigurationSetSettings.SetUnmanagedAccounts(@($userSids))
    
  5. In the script, ouDNs specifies a list of Distinguished Names (DNs) of the OUs, users from which should be added to unmanaged accounts. Specify the OUs you don't want to manage.

  6. Add a short description for the script and click OK.

  7. On the 5th step, assign the Scheduled Task over any of your domains.

  8. Click Finish.

Also, you can take a look at the sample scripts in Adaxes SDK: http://adaxes.com/sdk/?SampleScripts.Co ... ounts.html.

0

Probably replace the entire list, right? We'll want to automate this to repopulate the list once a month (or whatever), and as users are provisioned / deprovisioned the simplest fix is probably to just redo the list each time, I assume.

Thank you!

0

Hello,

We've added the script to our Script Repository. See the following page, the script entitled Import Organizational Units from CSV: http://www.adaxes.com/script-repository ... htm#import.

0

Great, I'll test it out. Thanks!

0

I've tested and am unable to get the script to run via the Adaxes powershell on Windows Server 2016. I get the following error:

%% : The term '%%' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:43 char:21
+ $ouDNs = $records | %%{$_.$ouDNColumnName}
+ ~~
+ CategoryInfo : ObjectNotFound: (%%:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

I'm unsure what the double % is (I'm not very knowledgeable about scripting), but I assume it's just a typo and it's supposed to be a single %, meaning 'foreach'?

Under that assumption I dropped one of the %s and reran the script, which generated a (different) host of errors, some as shown below:

You cannot call a method on a null-valued expression.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:9 char:9
+ $searcher = $Context.BindToObjectByDN($ouDN)
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

The property 'PageSize' cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:10 char:9
+ $searcher.PageSize = 500
+ ~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

The property 'SearchScope' cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:11 char:9
+ $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

Have you been able to run this successfully? Am I missing a module or something? The values in my CSV look normal (I got them by running an export of our AD structure with this commandlet)

Get-ADOrganizationalUnit -filter * | select Name,DistinguishedName | Export-csv OUs.csv -NoTypeInformation

Thanks for the assistance.

0

Hello,

The script is using the Context variable and can be executed only in Business Rules, Scheduled Tasks and Custom Commands. You can create a Custom Command configured for Domain-DNS Object type to update the Unmanaged Accounts list on demand. For information on how to create a Custom Command, have a look at the following tutorial: http://www.adaxes.com/tutorials_ActiveD ... ommand.htm.

To schedule updating the Unmanaged Accounts list use a Scheduled Task configured for Domain-DNS Object type. To create the task, have a look at the following tutorial: http://www.adaxes.com/tutorials_Automat ... gement.htm.

Related questions

0 votes
1 answer

Is it possible to have Adaxes dynamically provide a list for the Offices AD property to choose based on a OU structure?

asked Aug 27, 2017 by audiblehum (280 points)
0 votes
1 answer

Hi, I would like to be able to provision my user accounts "Department" fields based on the Organizational Unit name in which the user is in. Basically I'd like to copy the ... Adaxes? ex: OU = IT Corp Name = Paul Fakename Department = IT Corp Thanks in advance

asked Nov 26, 2012 by cedricb (280 points)
0 votes
1 answer

We are working with an HR package that will send us a CSV file every 4 hours with a list of users that need to be created, modified or deleted from our environment. The CSV ... change, etc.) Is there a script that can manage all of that on a scheduled basis?

asked Sep 2, 2020 by RayBilyk (690 points)
0 votes
1 answer

Hi, I had to create Custom Command for distribution group creation. Default group creation wizard cannot be used, because we need some of parameters to be mandatory etc. Anyway I ... which shouldn't be targeted to any particular AD object. How do I do it?

asked Jan 20, 2020 by KIT (3.3k points)
0 votes
1 answer

I would like to send an email to users every 2 days if they do not have a photo in the system yet. I've tweaked the 'Users without photo' report to exclude service/other ... emails? Ideally I could also cc their manager (I did add the column to the report).

asked Jul 30, 2019 by jbadry (1.7k points)
2,466 questions
2,215 answers
5,950 comments
335,354 users