0 votes

Hi all,

Just wondering when Adaxes actually determines the current unmanaged/managed user counts - is it random, scheduled, or a manual thing? Also, does it randomly re-determine the list of managed users by itself?

I ask as we have adaxes running the 'add user to unmanaged accounts list' script every 2 am, however we just got an email that the license count had been exeeded at around 7 am this morning.

Our actual license count should be around 200, and after I manually ran the script it dropped from 490 back to the expected 220. I am wondering if Adaxes is automatically re-adding users to the managed list at random, or if the script is occasionally failing to run due to the connection from Azure (where the Adaxes box is) to our on-prem environment dropping. The execution logs show the script ran successfully every night, so I am not sure here.

Cheers all.

by (160 points)

1 Answer

0 votes
by (222k points)

Hello,

There are no default background tasks that automatically add or remove users from the unmanaged list. It can only be done manually or by a script. License validation is performed at random periods not less than once per 10 hours. During the validation, Adaxes only checks the number of managed enabled and not expired user accounts. If the number exceeds the one allowed by the license an email notification is sent. Most probably, you have two scripts for updating the list of unmanaged accounts and executing the second one results in exceeding the license. To check that, you can use the following script from our repository: https://www.adaxes.com/script-repository/search-and-replace-text-in-adaxes-scripts-s224.htm. To perform the required search via the script, you can use a command like the following:

.\MyScript.ps1 -textToSearch "SetUnmanagedAccounts"
0

Hi there,

It seems this may not be the case - I ran the script, and it returned a single instance of the phrase "Unmanaged Accounts" and 1 instance of "SetUnmanagedAccounts" - both within the script that reduces this number. This is the script, which is the one that runs at 2 am every day. (we do have the managedOUDN's defined, but I've redacted them for obvious reasons)

function GetUserSids($managedOuDNs, $allUnmanagedSids)
{
    $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
    $searcher.SearchParameters.Filter = "(sAMAccountType=805306368)"
    $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchParameters.PageSize = 500
    $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SearchParameters.VirtualRoot = $True
    $searcher.SetPropertiesToLoad(@("objectSid","distinguishedName"))

    try
    {
        $searcherResult = $searcher.ExecuteSearch()
        foreach ($user in $searcherResult.FetchAll())
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $user.Properties["distinguishedName"].Value
            $addToUnmanagedAccounts = $True
            foreach ($ouDN in $managedOuDNs)
            {
                if($userDN.IsDescendantOf($ouDN))
                {
                    $addToUnmanagedAccounts = $False
                    break
                }
            }

            if (!($addToUnmanagedAccounts))
            {
                continue
            }

            $sidBytes = $user.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)

            $allUnmanagedSids.Add($sid.Value) | Out-Null
        }
    }
    finally
    {
        $searcherResult.Dispose()
    }
}

# Create an empty hash set for SIDs of Unmanaged Accounts
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids

# Bind to the 'Configuration Set Settings' object
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

If adaxes does not reset the unmanaged accounts number on occasion, there may be some other issue (perhaps some sort of corruption or an update) that has caused the number to revert to 497, and then the script failed to change the number?

It may be easier to mark this down as a one-off failure.

Related questions

0 votes
1 answer

What is the easiest way to reset the license calculation for ADAXES back to say a new installation? We've unmanaged (manually) a number of accounts and we'd like to add ... that would allow us to simply "start over" in terms of licensing. Thanks in advance.

asked Oct 19, 2016 by VTPatsFan (610 points)
0 votes
1 answer

We've requested a quote for 2500 licenses and plan on downloading a trial. However, I want to be certain of when the 30-day trial starts ticking...upon the initial download of the software, or only after the downloaded software is installed in our environment?

asked Apr 22, 2021 by MRBruce (90 points)
0 votes
1 answer

I have a few questions on licensing. Which accounts are excluded from the license count? I understand you can exclude users, by OU possibly. I'm more interested ... . What happens during license validation? What happens if you go over license count?

asked Jul 2, 2020 by ComputerHabit (790 points)
0 votes
1 answer

Hello, How it works if I have multiple accounts in one domain, and other accounts in others domains managed by Adaxes ? Thank you. Regards. Pierre

asked Jun 9, 2021 by pierre.saucourt (40 points)
0 votes
1 answer

We are looking to use Adaxes to create and manage Managed Service Accounts in the "Managed Service Accounts" OU. Is this possible through Adaxes? Thank you.

asked Nov 14, 2019 by lgibbens (320 points)
2,757 questions
2,491 answers
6,523 comments
1,469,096 users