We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Add users that are not members of groups to Unmanaged Accounts

December 05, 2022 Views: 1680

The script adds users who are not members of specific groups to Unmanaged Accounts. When adding users, only direct membership in the groups is taken into account.

To keep the list of Unmanaged Accounts in line with changes in your directory, create a scheduled task configured for the Domain object type that runs the script and assign it over any of your managed domains. The domain does not specify the scope of users that will be added to the list of unmanaged accounts and will only be used to trigger execution of the Scheduled Task. The criteria for adding users to the list are specified in the PowerShell script.


  • $groupDNs - Specifies the distinguished names (DNs) of the groups whose members will not be added to Unmanaged Accounts.
  • $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged or accounts to the existing list.
  • $excludeUserDNs - Specifies the distinguished names (DNs) of the user accounts that should not be added to the unmanaged accounts list even if they are not members of the groups specified in the $groupDNs variable. Leave the array empty to add all users that are not members of the groups to the unmanaged accounts list.
Edit Remove
$groupDNs = @(
    "CN=My Group 1,CN=Users,DC=domain,DC=com", 
    "CN=My Group 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

# Build criteria to find users who are not members of any of the specified groups
$criteria = New-AdmCriteria "user" {accountDisabled -eq $false -and accountExpires -expired $false}
foreach ($dn in $groupDNs)
    $criteria["user"].Add({directMemberOf -ne $dn})

# Add criteria to exclude specific users
foreach ($dn in $excludeUserDNs)
    $criteria["user"].Add({distinguishedName -ne $dn})

# Find users and get their SIDs
$searcher = $Context.BindToObject("Adaxes://rootDse")
$searcher.Criteria = $criteria
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True

    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
    foreach ($searchResult in $searchResults)
        $sidBytes = $searchResult.Properties["objectSid"].Value
        $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }

# Add users to unmanaged accounts
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}

# Save changes
Comments 0
Leave a comment

Got questions?

Support Questions & Answers