Script Repository


Add users except users located in particular Organizational Units to Unmanaged Accounts

July 15, 2020
2463

The script adds all users except users located in particular Organizational Units to Unmanaged Accounts.

To keep the list of Unmanaged Accounts in line with changes in your AD, you need to create a Scheduled Task configured for the Domain-DNS object type that runs the script and assign it over any of your AD domains.

Parameter:

  • $managedOuDNs - Specifies distinguished names (DNs) of the Organizational Units you want to manage with the help of Adaxes. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject/.
  • $excludeUserDNs - Specifies distinguished names (DNs) of users that will not be added to unmanaged accounts even if located in an OU specified in the $managedOuDNs variable.
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 1,DC=domain,DC=com") #TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

function GetUserSids($managedOuDNs, $allUnmanagedSids, $filter)
{
    $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
    $searcher.SearchParameters.Filter = $filter
    $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchParameters.PageSize = 500
    $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SearchParameters.VirtualRoot = $True
    $searcher.SetPropertiesToLoad(@("objectSid","distinguishedName"))

    try
    {
        $searcherResult = $searcher.ExecuteSearch()
        foreach ($user in $searcherResult.FetchAll())
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $user.Properties["distinguishedName"].Value
            $addToUnmanagedAccounts = $True
            foreach ($ouDN in $managedOuDNs)
            {
                if($userDN.IsDescendantOf($ouDN))
                {
                    $addToUnmanagedAccounts = $False
                    break
                }
            }
            
            if (!($addToUnmanagedAccounts))
            {
                continue
            }
     
            $sidBytes = $user.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
     
            $allUnmanagedSids.Add($sid.Value) | Out-Null
        }
    }
    finally
    {
        $searcherResult.Dispose()
    }
}

# Create an empty hash set for SIDs of Unmanaged Accounts
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build filter
$filter = New-Object "System.Text.StringBuilder"
[void]$filter.Append("(&(sAMAccountType=805306368)")
foreach ($dn in $excludeUserDNs)
{
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("distinguishedName", $dn)
    [void]$filter.Append("(!$filterPart)")
}
[void]$filter.Append(")")

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $filter.ToString()

# Bind to the 'Configuration Set Settings' object
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))


Comments ( 0 )
No results found.
Leave a comment