We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Add users except users located in particular Organizational Units to Unmanaged Accounts

September 29, 2023 Views: 4607

The script adds all users except users located in particular Organizational Units to Unmanaged Accounts.

To keep the list of Unmanaged Accounts in line with changes in your directory, you need to create a scheduled task configured for the Domain object type that runs the script and assign it over any of your managed domains.

Parameter:

  • $managedOuDNs - Specifies distinguished names (DNs) of the Organizational Units you want to manage with the help of Adaxes. For information on how to get an object DN, see Get the DN of a directory object.
  • $excludeSubOUDNs - Specifies distinguished names (DNs) of the Organizational Units which are located in the OUs specified in the $managedOuDNs variable. users located in the OUs will be added to the unmanaged accounts list.
  • $managedUserDNs - Specifies distinguished names (DNs) of users that will never be added to unmanaged accounts list.
  • $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged or add the users located in the specified OUs to the existing list.
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 2,DC=domain,DC=com") # TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Update Unmanaged Accounts
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 2
avatar
Noyan Dec 01, 2022
Hi all,

We are using this script but with the new Adaxes Update Azure AD User are not added to the list.
The OU is not set in the script but Azure users are not added to the list.
The Scope is set to All Objects.
Is it possible to add Azure and On-Prem AD users to the unmanaged list with one script?

Thanks
Noyan
avatar
Support Dec 01, 2022
Hello Noyan,

Yes, it is possible. Use the below script. We also updated the script in the article itself.
Edit Remove
PowerShell
$managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 2,DC=domain,DC=com") #TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build filter
$criteria = New-AdmCriteria -Type "user"
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
Leave a comment
Loading...

Got questions?

Support Questions & Answers