We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Add users except users located in particular Organizational Units to Unmanaged Accounts

November 01, 2024 Views: 4968

The script adds enabled and not expired user accounts not located in the specified Organizational Units to the unmanaged list. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameter:

  • $managedOuDNs - Specifies distinguished names (DNs) of the Organizational Units you want to manage with the help of Adaxes. For information on how to get an object DN, see Get the DN of a directory object.
  • $excludeSubOUDNs - Specifies distinguished names (DNs) of the Organizational Units which are located in the OUs specified in the $managedOuDNs variable. Users located in the OUs will be added to the unmanaged accounts list.
  • $managedUserDNs - Specifies distinguished names (DNs) of users that will never be added to unmanaged accounts list.
  • $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged or add the users located in the specified OUs to the existing list.
  • $managedGroupDNs - Specifies distinguished names (DNs) of groups whose members will never be added to unmanaged accounts list. If there is no need to
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=DC=adaxeslab,DC=local", 
    "OU=My OU 2,DC=domain,DC=com") # TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$managedGroupDNs = @(
    "CN=MyGroup1,OU=Groups,DC=domain,DC=com",
    "CN=MyGroup2,OU=Groups,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

foreach ($dn in $managedGroupDNs)
{
    $criteria["user"].Add({directMemberOf -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Update Unmanaged Accounts
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 2
avatar
Noyan Dec 01, 2022
Hi all,

We are using this script but with the new Adaxes Update Azure AD User are not added to the list.
The OU is not set in the script but Azure users are not added to the list.
The Scope is set to All Objects.
Is it possible to add Azure and On-Prem AD users to the unmanaged list with one script?

Thanks
Noyan
avatar
Support Dec 01, 2022
Hello Noyan,

Yes, it is possible. Use the below script. We also updated the script in the article itself.
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 2,DC=domain,DC=com") #TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build filter
$criteria = New-AdmCriteria -Type "user"
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
Leave a comment
Loading...

Got questions?

Support Questions & Answers