Script Repository


Add users except users located in particular Organizational Units to Unmanaged Accounts

November 03, 2020
2582

The script adds all users except users located in particular Organizational Units to Unmanaged Accounts.

To keep the list of Unmanaged Accounts in line with changes in your AD, you need to create a Scheduled Task configured for the Domain-DNS object type that runs the script and assign it over any of your AD domains.

Parameter:

  • $managedOuDNs - Specifies distinguished names (DNs) of the Organizational Units you want to manage with the help of Adaxes. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject/.
  • $excludeSubOUDNs - Specifies distinguished names (DNs) of the Organizational Units which are located in the OUs specified in the $managedOuDNs variable. users located in the OUs will be added to the unmanaged accounts list.
  • $excludeUserDNs - Specifies distinguished names (DNs) of users that will never be added to unmanaged accounts list.
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 2,DC=domain,DC=com") #TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $filter, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build filter
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(sAMAccountType=805306368)")
foreach ($dn in $managedUserDNs)
{
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn)
    [void]$filter.Append("(!$filterPart)")
}
[void]$filter.Append(")")

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $filter.ToString() $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))


Comments ( 0 )
No results found.
Leave a comment