Script Repository

Add direct members of groups to Unmanaged Accounts

October 20, 2015

The script adds users who are members of AD groups to Unmanaged Accounts. When adding users, only direct membership in the groups is taken into account.

To keep the list of Unmanaged Accounts in line with changes in your AD, you need to create a Scheduled Task configured for the Domain-DNS object type that runs the script and assign it over any of your AD domains.


  • $groupDNs - specifies the Distinguished Names (DNs) of the groups whose members will be added to Unmanaged Accounts;
  • $replaceCurnentlyUnmanagedAccounts - specifies whether to replace the accounts that are currently unmanaged with members of the groups or add the members to the existing Unmanaged Accounts list.
Edit Remove
$groupDNs = @(
    "CN=My Group 1,CN=Users,DC=domain,DC=com", 
    "CN=My Group 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurnentlyUnmanagedAccounts = $True # TODO: modify me

# Build filter to find users who are members of the specified groups
$groupMemberFilter = New-Object "System.Text.StringBuilder"
foreach ($dn in $groupDNs)
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("memberOf", $dn)


# Find users and get their SIDs
$searcher = $Context.BindToObject("Adaxes://rootDse")
$searcher.SearchFilter = $groupMemberFilter.ToString()
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True

$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

    $searchResult = $searcher.ExecuteSearch()
    foreach ($user in $searchResult.FetchAll())
        $userSid = $user.Properties["objectSid"].Value
        $sidObject = New-Object "Softerra.Adaxes.Adsi.Sid" @($userSid, 0)
        $allUnmanagedSids.Add($sidObject.Value) | Out-Null

    # Release resources used by the search

# Add users to Unmanaged Accounts
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurnentlyUnmanagedAccounts)
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())

    foreach ($userInfo in $currentUnmanagedAccounts)
        $allUnmanagedSids.Add($userInfo.Key) | Out-Null

#Save changes

Comments ( 0 )
No results found.
Leave a comment

Related Scripts