The script adds all users except users located in particular Organizational Units to Unmanaged Accounts.
To keep the list of Unmanaged Accounts in line with changes in your directory, you need to create a scheduled task configured for the Domain object type that runs the script and assign it over any of your managed domains.
Parameter:
- $managedOuDNs - Specifies distinguished names (DNs) of the Organizational Units you want to manage with the help of Adaxes. For information on how to get an object DN, see Get the DN of a directory object.
- $excludeSubOUDNs - Specifies distinguished names (DNs) of the Organizational Units which are located in the OUs specified in the $managedOuDNs variable. users located in the OUs will be added to the unmanaged accounts list.
- $managedUserDNs - Specifies distinguished names (DNs) of users that will never be added to unmanaged accounts list.
- $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged or add the users located in the specified OUs to the existing list.
PowerShell
$managedOuDNs = @(
"OU=My OU 1,DC=domain,DC=com",
"OU=My OU 2,DC=domain,DC=com") # TODO: modify me
$excludeSubOUDNs = @(
"OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
"OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
"CN=My User 1,CN=Users,DC=domain,DC=com",
"CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me
function IsDescendantOf ($userDN, $ouDNs)
{
$isDescendantOf = $False
foreach ($dn in $ouDNs)
{
if ($userDN.IsDescendantOf($dn))
{
$isDescendantOf = $True
break
}
}
return $isDescendantOf
}
function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
$searcher = $Context.TargetObject
$searcher.Criteria = $criteria
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
foreach ($searchResult in $searchResults)
{
$userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
$sidBytes = $searchResult.Properties["objectSid"].Value
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
if (IsDescendantOf $userDN $excludeSubOUDNs)
{
[void]$allUnmanagedSids.Add($sid.Value)
continue
}
if (-not (IsDescendantOf $userDN $managedOuDNs))
{
[void]$allUnmanagedSids.Add($sid.Value)
}
}
}
finally
{
# Release resources
if ($searchResultIterator){ $searchResultIterator.Dispose() }
}
}
# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
foreach ($dn in $managedUserDNs)
{
$criteria["user"].Add({distinguishedName -ne $dn})
}
# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs
# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if (!$replaceCurrentlyUnmanagedAccounts)
{
# Fetch user accounts that are already unmanaged
$currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
$currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}
# Update Unmanaged Accounts
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
We are using this script but with the new Adaxes Update Azure AD User are not added to the list.
The OU is not set in the script but Azure users are not added to the list.
The Scope is set to All Objects.
Is it possible to add Azure and On-Prem AD users to the unmanaged list with one script?
Thanks
Noyan
Yes, it is possible. Use the below script. We also updated the script in the article itself.