Script Repository


Disenroll users affected by specific Password Self-Service Policy

April 26, 2016
1086

The script disenrolls users affected by a specific Password Self-Service Policy. To be able to disenroll users on demand, create a Custom Command for the Domain-DNS object type that runs the script. To disenroll users on a certain schedule, create a Scheduled Task that runs the script on a certain schedule.

Parameter:

  • $policyName - specifies the name of the Password Self-Service Policy you need.
Edit Remove
PowerShell
$policyName = "My Policy" # TODO: modify me

# Find the Password Self-Service Policy
$configurationContainerPath = $Context.GetWellKnownContainerPath("PasswordSelfServicePolicies")
$policySearcher = $Context.BindToObject($configurationContainerPath)
$policySearcher.SearchFilter = "(&(objectCategory=adm-PasswordSelfServicePolicy)(name=$policyName))"
$policySearcher.SearchScope = "ADS_SCOPE_SUBTREE"
$policySearcher.PageSize = 500

try
{
    $policySearchResultIterator = $policySearcher.ExecuteSearch()
    $searchResults = $policySearchResultIterator.FetchAll()
   
    if ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one policy with name '$policyName'.", "Warning")
        return
    }
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Password Self-Service Policy '$policyName' does not exist.", "Error")
        return
    }
    
    $policyPath = $searchResults[0].AdsPath
}
finally
{
    # Release resources
    $policySearchResultIterator.Dispose()
}

# Bind to the policy
$policy = $Context.BindToObject($policyPath)

# Get all affected users
$affectedObjectSeacher = $policy.FindAffectedUsers()
$affectedObjectSeacher.PageSize = 500
$affectedObjectSeacher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searchResultIterator = $affectedObjectSeacher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    foreach ($searchResult in $searchResults)
    {
        # Bind to the user
        $user = $Context.BindToObject($searchResult.AdsPath)
        if ($user.IsEnrolled)
        {
            $user.DisenrollUser()
        }
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

Comments ( 0 )
No results found.
Leave a comment