Adaxes Q&A - Recent questions in Active Directory Management with Adaxes

Update Adaxes from 2023.2 to 2026.1

Wed, 13 May 2026 13:39:42 +0000

We're going to be upgrading and Im wondering if there's any caveats we should be aware of in such a major version jump. We have 2 backend servers and 2 frontend servers.

When someone is using a Custom Command, can you detect (PowerShell) who initiated the CC?

Tue, 12 May 2026 08:18:48 +0000

When someone is using a Custom Command, can you detect (WIth PowerShell as Action) "who initiated" the Custom Command?

I found that you can use e.g.: adm-InitiatorFullName to have the full name of the Initiator, is this correct?

Where can we find more info about the object: $Context.Initiator and the properties of this object that are available or are only the %Adm-InitiatorFullname%; ...EMail; ...Dn available?

When creating a scheduled task, you select Object type. e.g.: User => can you add extra (LDAP) filters

Mon, 11 May 2026 12:00:07 +0000

When creating a scheduled task, you select Object type. e.g.: User but can you add an additional filter, eg. where deparment is a value (HR, IT, ...) or where an extensionAttribute15 equals 'Mailbox'?

We have an external process (SFProvisioning) and HR or other people can request a mailbox for a person. We like to do this with a custom commend that set a value in AD e.g.: ExtAttrib15 and then run a scheduled task on all objects that have this value set to a specific value.

In a custom command you have when starting the 'pop-up' are you sure and at the end the summary witht the execution log.

Can you customize these pop-ups and/or can you during the progress of the CC add an extra pop-up when e.g more information from the requestor is needed?

Adaxes URL locations

Mon, 04 May 2026 08:36:03 +0000

I found a URL that's being used and I am not sure where it's coming from. I've looked everywhere to see how it's even accessible.

The url directs people to a reset password page that's diffferent thn the ones I manage in the web config page. It is not associated with any of the Web Interfaces when I go to edit them.

The URL ends with /adaxes/#/SelfPasswordReset

Image below of the page that looks different than the ones created with web config. This is also not the same as the "Forgot password?" prompt at the bottom of the other Web Interfaces:

The only spot I've seen it is in OS Integration, but that isn't enabled right now. You can see it's grayed out, and the URL is a bit differen't, the hastag is instead the name of one of the Web Interfaces (I blacked it out in the image below)

Is it planned to support this AD integrated feature with a future version?

Tue, 28 Apr 2026 08:27:53 +0000

Adding support for -MemberTimeToLive would be benefitial.

How can I email a newly created user's group membership?

Mon, 27 Apr 2026 08:43:21 +0000

Would it be best to use the standard Powershell to pull the user's group membership and can that be embedded in a notification email after a user is created? Or is there a variable that will do this that I seem to be missing.

Entra Guest users & sponser attribute within Adaxes

Fri, 24 Apr 2026 10:58:31 +0000

Hello, Thank you for the clarification. I understand that, as of today, Adaxes does not provide built‑in functionality to create Microsoft Entra (Azure AD) guest users and that this can only be achieved via scripts using Microsoft Graph. I would like to ask a follow‑up question to this topic:

Is native support for creating Entra guest (B2B) users currently on the Adaxes product roadmap, or under consideration for a future release? If such functionality is planned, is it also intended to support the Microsoft Entra Sponsors attribute (the sponsors relationship on guest users used for governance, access reviews, and entitlement management)?

The ability to manage guest users natively in Adaxes, including assigning or maintaining the Entra sponsor relationship, would greatly improve governance and lifecycle management in Entra‑only or hybrid environments. Thank you in advance for any insight you can share regarding roadmap status or long‑term direction. Kind regards,

Willem

In Adaxes how can I backup a user's group membership before I run through a deprovisioning?

Thu, 23 Apr 2026 14:08:51 +0000

I find it's a good idea to have backups of a user's group membership when they depart so I'd like to be able to do this.

Can the Exchange Management Tools only be safely installed on an Adaxes Server?

Wed, 22 Apr 2026 13:56:54 +0000

Microsoft supports decommissioning your last on prem Exchange Server and managing receipients using Windows PowerShell. See: https://learn.microsoft.com/en-us/exchange/manage-hybrid-exchange-recipients-with-management-tools

Unfortunately, this means that we can no longer run commands remotely to the Exchange Server. We can run commands against any domain attached machine if it has the Exchange Management Tools only on it.

Can the Exchange Management Tools be installed safely on an Adaxes Server?

Where can I find the e-mail body from a approval Email Notifications

Wed, 22 Apr 2026 10:10:10 +0000

we have a Request approval for user creation

I need to change the body from the Email Notification. Between Header and Footer. Where can we change it?

Is there any possibility to grant a scheduled task to view ALL pending approval requests?

Thu, 16 Apr 2026 15:47:36 +0000

I want to query all pending approval Request to check if there's already an pending request for a specific object. I can create a security Role with the needed rights, but cannot assign it to the scheduled task. is there any otther possibility to check?

Does the Backup and Restore backup EVERYTHING?

Wed, 15 Apr 2026 15:09:34 +0000

Since we are required to uninstall Adaxes in order to upgrade it to a newer version, what will be lost in the process?

Does uninstalling it remove everything, or does it leave behind any configuration files?

Does the Backup and Restore Utility back up everything in Adaxes, so that when I restore it on the new installation, everything will be the same as before?

o365 remove licenses not inherited

Mon, 13 Apr 2026 16:52:27 +0000

Is there a script to remove all O365 licenses except the ones that are inherited? Currently the automation is working, it's removing the licenses (except the ones that are inherited) but it comes back with an "error" "user license is inherited and cannot be removed". If that is not possible, is it possible to remove the error from the task report? tx

Any alert when an account is added to an admin group?

Mon, 13 Apr 2026 11:00:16 +0000

Is there a report that will notify me or an auditor when a user has been added to the Domain Admin group or any other 365 Admin Role?

RC4 is being deprecated

Mon, 06 Apr 2026 14:27:45 +0000

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/what-changed-in-rc4-with-the-january-2026-windows-update-and-why-it-is-important/4504732

Have you guys created any kind of rules or mechanisms to check if accounts in adaxes are going to be affected by this RC4 deprecation?

Ghost (email) actions Adaxes

Thu, 02 Apr 2026 13:42:00 +0000

We use Adaxes for our user LifeCyclemanagement Flows.

This flows scheduled actions are running in user context. Recently, users have been receiving emails from severals flows containing incorrect data, even though the account does not meet the conditions to receive these emails. Additionally, other actions in the flow were not executed, and no logging of these actions is visible in Adaxes. The data in the daily overview reports is correct.

How to specify which objects get licensed

Thu, 02 Apr 2026 08:01:36 +0000

We have a certain amount of licenses. We recently integrated with EntraID and all the objects got auto-licensed. We only want user accounts (no mailboxes/no guests accounts etc) to consume a license. I can do this manually but it will get very tidious any time a guest account or new object is created in Entra. Is there any way to specify a rule for this?

Adaxes/Azure client secret expired, now giving me errors

Mon, 30 Mar 2026 13:44:33 +0000

I am attempting to reset the client secret for the Application Registration for Adaxes. I have copied the client secret value from the new secret and using the same App Registration as before with all the permissions originally set. After several minutes of it claiming the client secret is wrong, now it complains:

It couldn't be any more wrong

Move-AdmObject Cannot find object: A referral was returned from server

Fri, 27 Mar 2026 10:01:19 +0000

I am running the following PowerShell script that moves an object from one OU to another in our Entra tenant.

Note this is an Entra id guest account that exists. It finds the account using Get-AdmObject by UPN. The distinguished name reference is correct as the target OU.

Is the path syntax different because its a container vs an OU? I have tried using the distinguished name, adsPath and objectGuid of the target location object with the same results.

But when I try to move the object to the new OU, it returns the following error:

$upn = "email_domain.com#EXT#@domain.onmicrosoft.com"

<# Only used to get the domain object #>
$domainDN = "%distinguishedName%"
$domain = $Context.GetObjectDomain($domainDN)

$Context.LogMessage("$domain", "Information")

<# works getting user by upn on domain #>
try {
    $user = Get-AdmObject -Filter {userPrincipalName -eq $upn} -Server $domain -AdaxesService localhost                
}
catch [System.Exception] {
    $Context.LogException("Error: Get-AdmUser threw exception when trying to find guest user by UPN")        
}

 <# adaxes account found with matching upn #>
if (-not $user) {
    $Context.LogException("No user found in Adaxes by UPN $upn")
}

$Context.LogMessage("$($user.objectGUID)", "Information")

Move-AdmObject -Identity $user -TargetPath "%distinguishedName%"

How would I enforce users only being added to a group I've created from a custom command / script?

Thu, 26 Mar 2026 14:22:58 +0000

Hello,

We are currently rolling out a deployment for Windows Hello. For this, we have created a custom automation in Adaxes for users to have to reset their passwords on next login to something complex, then that new password is not required to be reset after the fact. They are then added to a group which is assigned to this password policy. Is there a good way to make sure users can only be added into this group via our script (we want to avoid people being added on accident), and for only our admins to be able to edit or see this group? Or, do you have another recommendation for getting this done?

Thank you.

Should I be able to import remote Exchange powershell into a script? It's seemingly just freezing / timing out.

Thu, 26 Mar 2026 13:16:11 +0000

This is from within a custom task. Account has proper RBAC permissions and I can do this from a normal powershell window.

Do you have a script for creating Azure Entra only accounts in bulk from CSV?

Thu, 26 Mar 2026 13:00:05 +0000

The csv I am using contains firstname,lastname,fullname,pass I will use fullname for both fullname and log on name and pass for the password.

Share Mailbox during onboarding without an active directory

Wed, 18 Mar 2026 10:08:36 +0000

I have a user that is looking to have a user calendar be shared on onboarding with all other users with reviewer permissions. We are exploring options to accomplish this task and are wondering if this is a good solution.

How can I add users to (and remove users from) a group based on the M365 License a user has?

Wed, 11 Mar 2026 10:11:16 +0000

We would like the membership in a distribution group to be based on a particular M365 license a user has (for example, Microsoft Copilot for Microsoft 365 (SKU part number _Microsoft_365Copilot).

If a user has the license, they are in the group. If the user does not have the license, they should not be in the group.

Is there way to do that by making it a rule-based group?

Property Pattern Regex Validation Help

Wed, 11 Mar 2026 10:08:25 +0000

First off, thank you for not shoving AI into Adaxes and for continuing to improve it.

I'm trying to set property pattern validation for new user creation and I'm a little stuck. Specifically, I want to make sure that the data entered:

doesn't start with a space
doesn't end with a space
doesn't contain a 'smart' quote (‘ ’ “ ”)
doesn't contain multiple sequential spaces (so no double/triple/etc spaces)

I did see I could impose the "must not start/end with" but that doesn't solve #3 and #4

Regex looks good but maybe I'm not quoting it properly? This does work for #1 and #2 but doesn't work for #3 unless there's two 'smart' quotes next to each other ^[^\s][^\‘\’\“\”]+[^\s]$

I had tried this which didn't work for #3 either because it seems to see it as this string "‘’“”", regex101.com reckons it needs to be escaped like above. ^[^\s][^‘’“”]+[^\s]$

I haven't been able to figure out #4 multiple spaces cause adding \s{2,} doesn't work.

I could use Powershell validation but I'd prefer to have it on the form itself as then when the user is entering the data it tells them why it's an issue.

Am I just testing against the wrong flavor of regex? It does look like \‘\’\“\” would be incorrect for .NET because it doesn't need the backslashes but I tested with that and had the same issue of needing at least two 'smart' quotes to trigger the error message.

Any assistance is much appreciated

SOLVED: without numbers ^[A-Z](?:[a-zA-Z\'\-])*(?: [a-zA-Z\'\-]+)*$

with numbers ^[A-Z](?:[a-zA-Z0-9\'\-])*(?: [a-zA-Z0-9\'\-]+)*$

See bottom for more details or run it through regex101.com

Display Name in web form

Fri, 06 Mar 2026 11:54:31 +0000

Hello!

So I'm attempting to create a form that my help desk team uses to change a user account from contractor (usernames end with -c) to a FTE employee (no -c). I have a script to handle this but is there anyway in the webform that when a a help desk tech selects a user for conversion it displays the potential new name and email before actually running the business rules?

Does Adaxes provide a calculated last‑logon value for AD and Entra, or must I combine properties myself?

Wed, 04 Mar 2026 12:23:42 +0000

I am building lifecycle automation in Adaxes and need to determine both user inactivity and whether a user has ever logged in. The adm-InactivityDuration property already calculates combined activity across AD and Microsoft Entra ID, but this value includes non-logon events such as password changes or the account creation date. For lifecycle decisions I need a logon‑only value, combining:

AD lastLogon AD lastLogonTimestamp Entra sign‑in activity (lastSignInDateTime and lastNonInteractiveSignInDateTime)

My questions are:

Does Adaxes provide a built‑in calculated property (similar to adm-InactivityDuration) that returns the most recent logon event across both AD and Entra? If no such property exists, which Adaxes properties should I use to manually construct this combined “Last Logon” logic? Can such a property be created using a Calculated Property in Adaxes, and if so, which fields are recommended?

I want to ensure I use the correct properties for:

determining whether a user ever logged in, and determining the true most recent login across AD and Entra.

Thank you in advance for the clarification.

Portal Actions Referencing Moved or Invalid OUs

Wed, 04 Mar 2026 10:35:37 +0000

Hi,

we have a custom action in our Adaxes portal that allows users to select only users from a specific country and only if they are members of two specific groups.

Due to a recent restructuring, these groups were moved to new OUs. We noticed afterward that the action criteria was not updated and is still pointing to the old OU.

Is there a way to automate this or make the criteria dynamically update when such changes occur?

Or do we need to manually review and update our actions each time objects are moved or restructured?

Additionally, is it possible to receive a notification or run a script that checks for invalid or non‑existing objects referenced in action criteria?

Our action and criteria are as follows:

Get Entra ID / Azure AD properties for a group ...

Wed, 25 Feb 2026 10:22:49 +0000

Hello -

I'm looking for some guidance / clarity.

I'm running Adaxes 2023 (I know I need to update) and I have a very specific task I am trying to accomplish.

I am in hybrid-mode - so we have an on-premise AD that syncs to Entra ID (Azure AD).

My on-prem AD is managed and I have the M365 tenant configured under 'Cloud Services'.

I need to retrieve the Entra ID object ID for a subset of the groups in my domain.

I've been reading the online docs for hours now and I am a little lost.

If I understand correctly, it says I should be able to use the Adaxes powershell command 'get-AdmGroup' to retrieve the Entra ID object ID ... but I can't figure it out.

I've looked at the '-AdaxesService' command along with using my organization's '.onmicrosoft.com' domain name in the 'serverName' parameter, but I get an error saying that it is 'unavailable'.

I want to get the information in the easiest and most efficient manner ... and I thought it would be much easier with Adaxes.

I feel as if I am missing something here. Any and all help / direction is much appreciated (in advance).

Thanks.

Installing Adaxes 2026.1

Mon, 23 Feb 2026 15:17:09 +0000

Getting error during installation, Softwrra Adaxes 2026.1 Setup - Could not be installed. Verify that you have sufficent privileges to install system service.

the service account and my account both have local admin rights on the servers. Any help would be appreciated. Nothing in the event viewer that points toward an issue that I can find.

Adaxes very slow and laggy after integrating EXO

Mon, 23 Feb 2026 14:39:24 +0000

After connecting to Exchange Online, we can once again access the Exchange properties of users as usual. That works well.

However, we now have relatively long loading times when calling up users, creating distribution lists, and basically everything else. It can easily take 15-20 minutes.

Is there any way to check what is taking so much time here?

We are grateful for any ideas and suggestions.

How do I display an icon in a report specific column?

Fri, 20 Feb 2026 16:09:50 +0000

I have a report that displays the adaxes logs for a specific scheduled task initator. One of my report-specific columns runs the following script:

$logRecord = $Context.ReportItem.LogRecord
if ($logRecord -ne $NULL)
{
    $executionLog = $logRecord.GetExecutionLog()
    $firstError = $executionLog.FirstErrorEntry
    if ($firstError -ne $NULL)
    {
         <# Todo if $first error, show icon indicating error #>
    }    
}

I currently have the data type set to text. Is there any way in the PowerShell to access the icon from index 30 or something equivalnt to that? My goal is to have some sort visual when an error is thrown in the execution log.

Multiple domain names

Fri, 20 Feb 2026 09:58:38 +0000

I am currently trying to configure a client in Adaxes that has multiple domain names. They are already configured with a .nl address and that works fine. Now i want to add .de and .be. I followed the link below, but I still cannot get it to appear in the web interface. I would like us to have an option in the web interface to change the domain name when creating the user.

https://www.adaxes.com/help/ConfigureUPNSuffixSelection/

External Contact Self-Service

Thu, 19 Feb 2026 17:27:35 +0000

Hello!

I am wondering if there is a way for external contacts, with no active directory account on our end, to request to join or leave Distribution Groups?

Export of business units, find relevant membership rules

Wed, 18 Feb 2026 15:06:31 +0000

Hi team,

I hope you are doing well.

Do you happen to have a ready-to-use script or solution to export business units and their criteria?

I need to find business units where a specific OU is configured to include members of that OU or its sub-OUs.

Thanks

Trying to connect M365 with adaxes

Tue, 17 Feb 2026 10:02:27 +0000

I try to registrer Adaxes with M365 with using your manuel: https://www.adaxes.com/help/RegisterAdaxesAsAppMicrosoftAzure/

if i try to connect from adaxes administration console, i get the message below.

I enter the application ID, Direction ID and client secret, but can't connect.

which credentials are invailid?

adm-CustomAttribute visibility and bulk update issues

Wed, 04 Feb 2026 17:06:34 +0000

I am having a difficult time wrangling Adaxes' custom attributes on v2025.1 to use them as placeholders to sync later or just have data visible in adaxes only. We are Entra ID only and the "On Prem AD" is just the Entra ID Domain Services. When referring to the user I am talking about the object in the mydomain.onmicrosoft.com domain object.

The first issue is, even with "Show Empty Properties" enabled, I cannot see any adm-CustomAttribute fields on a user profile, whether they have data in them or not. I even have some with custom property names and those are not visible either.

Second issue is even though we have Exchange Online ExtensionAttributes filled in Exchange Online. They are visibile if we go into the User Object > Exchange > General > Custom Attributes -- the same fields appear blank in the user pane.

The third issue which caused me to go down this whole road to begin with is, I cannot simply update ExtensionAttribute that is maintained in Exchange Online via the edit user or a form/command. I've had to devise a clever workaround to directly modify mailbox settings and then the ExtensionAttribute which works, but is clunky. And with no visibility of the fields, makes troubleshooting issues with this method more difficult.

Fourth, I am attempting to use the Update User script here: https://scripts.adaxes.com/import-new-and-updated-users-from-csv-file yet when I defind simply the username and 2 attributes and run the script, it appears nothing happens.

$csvFilePath = "C:\Users\myprofile\Desktop\imports\testbatch.csv" # TODO: modify me
$userIdColumn = "displayName" # TODO: modify me
$userIdProperty = "userPrincipalName" # TODO: modify me
$accountPasswordColumn = "AccountPassword" # TODO: modify me
$customColumnNames = @{
    "extensionAttribute2" = "adm-CustomAttributeText2";
    "extensionAttribute3" = "adm-CustomAttributeText3";
} # TODO: modify me
$ignoreUnspecifiedColumns = $True # TODO: modify me
$aDObjectProperties = @("Manager", "Secretary") # TODO: modify me
$skipEmptyColumnNames = @("MyColumn") # TODO: modify me

What I am trying to accomplish is get 2 ExtensionAttributes that already have data in them, be visible and editable in Adaxes. The stop-gap I was attempting to make to negate the second issue was to create duplicate fields using the adm-CustomAttribute field and then import the values of the ExtensionAttribute exported from Exchange and use a custom task to sync/overwrite the ExtensionAttributes from the ones saved in Adaxes.

So my questions are:

Is it possible to make ExtensionAttributes visible in the user page without clicking all the way into mailbox and custom attributes? And by extension, run a report in Adaxes showing these values as shown in Exchange Online?
Is it possible to make visible the adm-CustomAttribute fields regardless if they have data or not?
Can I make a form field to fill out the ExtensionAttribute directly rather than using a custom scheduled task to sync adm-CustomAttribute values to ExtensionAttribute
How can I bulk import from CSV values to adm-CustomAttribute and verify that they were saved?

Is there a way to CC when sending an email without scripting

Wed, 04 Feb 2026 10:04:28 +0000

I know there is a way to CC using a script, but I want to know if there is a way to CC recipients on an email with the "Send Email notification" action.

We currently have it set so an email goes out to a manager, myself and another admin. However it sends out a email to each indivudal recipient instead of one email to everyone.

What I am looking for to happen - this email notification goes out to the manager and CC's myself and the other admin.

Is this possible to do?

How to edit "My Requests" page in Web Admin

Fri, 30 Jan 2026 09:24:10 +0000

Where can I manage what can be seen on this page including the tabs, and the details of the requests? I don't want the user to see who approved or denied a request.

Is there a way to revoke Okta Tokens using an Adaxes Call

Thu, 22 Jan 2026 13:54:49 +0000

We need to have a process to revoke the access token used by Okta for end users.

Default domain isn't available, users need to click sign in options then the key icon to login to our domain

Mon, 19 Jan 2026 10:12:42 +0000

After installing the self-service client MSI, at the Windows login screen, when clicking other user, the default domain isn't available, users need to click sign in options then the key icon to login to our domain When I uninstall the self-service client, the domain for other user is immediately available. I've even updated a GPO to add our default login domain and this is applied but with Self-Service client installed not showing by default.

AAD group user removal

Thu, 15 Jan 2026 10:02:47 +0000

I’m working to remove disabled users from both AD and AAD groups. The script I’m using (https://www.adaxes.com/script-repository/remove-all-group-memberships-for-a-user-account-s33.htm) successfully removes users from AD groups but fails when targeting AAD groups. Currently, our AD and AAD groups are not synchronized. We do have an Azure AD app registration in place for Office 365 licensing and mailbox management. Are there any additional prerequisites or configurations needed to enable group removal in AAD?

Is there any timeline for getting rid of AD as a dependency?

Thu, 15 Jan 2026 10:01:01 +0000

Hi, we’re in the process of moving away from local AD in favor of Azure Entra ID. We’ve loved using Adaxes over the years and really don't want to switch to a different tool.

Do you have a roadmap or timeline for when Adaxes will fully support cloud-only setups (no local AD)?

Thanks

Remove user from a group

Tue, 13 Jan 2026 09:34:07 +0000

Hello

I was looking for some assistance with this command. I can not get this command below to work. I have tried two ways, and neither removed the account from the specified group. I've tried the group Distinguished name as well for Identity.

Remove-AdmGroupMember -Identity "%sAMAccountName%" -Members "%adm-InitiatorDN%" -confirm:$false -AdaxesService localhost

#$DistGroupDN = "%sAMAccountName%"
#$UserDN = "%adm-InitiatorDN%"

Remove-AdmGroupMember -Identity "$DistGroupDN" -Members "$UserDN" -confirm:$false -AdaxesService domain.com

Custom report to show Secretaries and who they support

Fri, 09 Jan 2026 09:29:45 +0000

I am trying to create a custom report which lists all secretaries and whom they support, I have a working report except for when there are multiple secretaries supporting a user it is displaying them as multiple values on the same row and the report specific column is presenting an error due to the unexpected multi value being passed to it.

I have created a directory search report and added the columns Secretary, Secretary Object GUID (report specific column), Name, and Object GUID.

The report specific column appears to be working where there are single secretaries assigned but when trying to export the report it fails because multiple values are being passed to the report specific column, specifically the error is "Exception calling BindToObjectByDN - Cannot parse ADsPath String, line 8". The PowerShell is:

$obj = $Context.GetDirectoryObject() try { $secretaryDN = $obj.Get("secretary") $secretary = $Context.BindToObjectByDN($secretaryDN) $Context.Value = $secretary.Get("ObjectGUID") } catch [System.Runtime.InteropServices.COMException] { }

Is it possible to separate out multiple Secretary values to their own lines?

I am wanting to export a CSV containing: Secretary (displayName), Secretary (Object GUID), User (displayName), User (Object GUID)

The CSV should have a line for each person a secretary supports and where there are multiple values then that should be separated out so each secretary would have its own row.

For example:

Secreatry	Object Guid	User	Object Guid
Jane	1234567	Steven	32132331
Jane	1234567	Alice	4324523
Paul	234572	Steven	32132331
Paul	234572	Michael	58745646
Paul	234572	Alice	4324523
Mary	95723272	Lara	0937546732
Mary	95723272	Kathy	932742

In the above, Jane and Paul look after Steven and Alice and currently appear as multiple values and need to be separated out.

Approvals: You are not allowed to deny this request.

Thu, 08 Jan 2026 09:57:12 +0000

Morning and happy new year : )

I noticed my script to deny pending approvals >30 days is failing currently due to the error

Approvals: You are not allowed to deny this request.

I am using this script since a while and it was working well in the past, no changes has been made so far. https://www.adaxes.com/script-repository/approvedeny-outdated-approval-requests-s546.htm

The PowerShell script log shows Exception calling "Deny" with "1" argument(s): "You are not allowed to deny this request." Stack trace: at <ScriptBlock>, <No file>: line 35

Line 35 is

$request.Deny($reason)

My full script

$requestExpirationDays = 30 
$reason = "The request is denied because it was not processed within $requestExpirationDays days" 

# Bind to the 'Approval Requests' container
$approvalRequestsPath = $Context.GetWellKnownContainerPath("ApprovalRequests")
$container = $Context.BindToObject($approvalRequestsPath)

# Get all pending approval requests
$requestGuidsInBytes = $container.GetApprovalRequests("ADM_APPROVALSTATE_PENDING")

# Iterate through the requests
foreach ($guidInBytes in $requestGuidsInBytes) {
    # Bind to the approval request
    $guid = [Guid]$guidInBytes
    $request = $Context.BindToObjectEx("Adaxes://<GUID=$guid>", $True)

    # Check if we need to skip special approvals
    if( $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***" -or `
        $request.DescriptionOfOperationToApprove -like "***"      
        ) {
            continue
    }

    # Check whether the request must be denied
    $deadlineDate = $request.CreationDate.AddDays($requestExpirationDays)
    if ([System.DateTime]::Now -lt $deadlineDate) {
        continue
    }

    $request.Deny($reason)
}

My scheduled task (already re-created it for testing) My action

Adaxes Powershell not getting values of Custom Attributes

Sat, 03 Jan 2026 12:08:29 +0000

I edited a custom attribute in Adaxes, and manually entered the value for each Org Unit.

When I attemp to get that property in Adaxes, it gives me an empty value. I'm sure I am misisng something simple.

Script I am using, with OU distringuished name

Get-AdmOrganizationalUnit -Identity "OU=Test City Adaxes,OU=City Users,DC=Company,DC=ORG" -Properties "%adm-CustomAttributeText3%" | Select-Object "%adm-CustomAttributeText3%"

Even if I use this broad one, it still comes up empty

Get-AdmOrganizationalUnit -Filter * -Properties "%adm-CustomAttributeText3%" | Select-Object "%adm-CustomAttributeText3%"

I've renamed the property to "City Name." You can see at the bottom of the image below that this value does contain data

Script Failed

Tue, 16 Dec 2025 15:46:13 +0000

I am trying to get information from a built in report, and add it to a custom attribute. I need to get the IP address in the built in report "Dial-in and VPN settings" and add it to a custom attribute for each user.

I tried modifying this script to get there: https://www.adaxes.com/script-repository/update-boolean-attribute-with-password-self-service-enrollment-status-s680.htm

I think the main issues are:

The well known container path. I can't figure out the path for Reports > All Reports > Users > Dial-in and VPN Settings
my ADM_PSREPORTTYPE is also probably wrong
And at the very end, I try to get $userstaticIP from the "Dial-In and VPN settings" report which contains the info I need.

Here is the script:

$propertyName = "adm-CustomAttributeBinary1" # TODO: modify me

# Bind to the 'Dial-in and VPN settings' container
$DialInReportPath = $Context.GetWellKnownContainerPath("Report")
$DialIn = $Context.BindToObject($DialInReportPath)

# Get the Dial-in and VPN settings report
$reportIsBeingGenerated = $True
do
{
    try
    {
        $report = $DialIn.GetReport("ADM_PSSREPORTTYPE_DialinandVPNsettings")
    }
    catch [System.Runtime.InteropServices.COMException]
    {
        if ($_.Exception.ErrorCode -eq "-2147024875")
        {
            # Report is being generated. Wait 10 seconds
            Start-Sleep -Seconds 10
            continue
        }
        else
        {
            $reportIsBeingGenerated = $False
            $Context.LogMessage($_.Exception.Message, "Error")
            return
        }
    }

    if ($report.GenerateDate -lt [System.Datetime]::UtcNow.AddHours(-1))
    {
        $DialIn.ResetReportCache("ADM_PSSREPORTTYPE_DialinandVPNsettings")
    }
    else
    {
        $reportIsBeingGenerated = $False
    }
}
while ($reportIsBeingGenerated)

$records = $report.Records
for ($i = 0; $i -lt $records.Count; $i++)
{
    $record = $records.GetRecord($i)

    # Get user information
    $userPath = $NULL
    $userDisplayName = $NULL
    $userstaticIP = $NULL
    $userInfo = $record.GetUserInfo([ref]$userPath, [ref]$userDisplayName, [ref]$userstaticIP)

    # Update user
    $user = $Context.BindToObject($userPath)
    $user.Put($propertyName, $userstaticIP)
    $user.SetInfo()
}

Adaxes doesnt seem to pick up on-prem AD account with Cloud Mailbox

Mon, 15 Dec 2025 15:55:12 +0000

I see the following error when I navigate to the user:

The operation couldn't be performed because object '[user] ' couldn't be found on '[local DC]'.

We have Adaxes configured to at least partially manage M365, but I assume its missing some permissions. Any idea what it could be?

Custom Attribute Management

Wed, 10 Dec 2025 17:34:02 +0000

Hello

I am looking fro information on managing custom attributes in Adaxes.

I would like to create two custom attributes:

Self Service Enrollment Stauts
Object Type

While browsing and viewing columns, there is a built in "Type," however this is not available while looking at individual objects:

Browsing I can see "Type." But I still need a custom attribute for Self-Service enrollment status

And then when viewing an individual object, I would like to be able to have these two values (custom or otherwise) viewable. The "Type" column above is not a slectable attribute for some reason.

Software version: