0 votes

Hello,

I am having issues using ADSI and Searcher to find and report on a user's secondary account.

We used to use LDAP Filters in our scripts to essentially search if a user that was modified had a secondary account. However we were told that LDAP Filters will no longer be supported in Adaxes. For Example, A User's Main Account has their Manager Updated, we want to ensure that IF a user has a secondary account, the manager field is to be set the same for that secondary account automatically automatically. You can see where I am going here.

Now for this specific task, I am writing a script and I want the script to continue if the account exists, however I cannot get past the Directory Search.

This is what I have so far for my script running as a custom command:

# Connect to the Adaxes service
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly("localhost")

# Obtain User's Primary SAM Account Name and Write it to the Execution Log
$userSAMAccountName = $Context.TargetObject.Get("sAMAccountName")
$userDN = $Context.TargetObject.Get("distinguishedName")
$Context.LogMessage("Selected User's Primary SAM Account Username is $userSAMAccountName", "Information")
$Context.LogMessage("Selected User's Primary DN is $userDN", "Information")

# Obtain User's Secondary SAM Account Name and Write it to the Execution Log, then Verify it Exists
$userHAAccount = "A.$userSAMAccountName"
$Context.LogMessage("Selected User's Secondary SAM Account Username should be $userHAAccount....Checking to ensure the User Exists Before Proceeding.", "Information")

# Create search criteria
$criteria = New-AdmCriteria "user" { sAMAccountName -eq "$userHAAccount" }

# Execute the search across the entire domain
$searcher = $service.OpenObject("Adaxes://RootDSE", $null, $null, 0)
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"

# Execute search
$searchResultIterator = $searcher.ExecuteSearch()

# Fetch the search result
$searchResults = $searchResultIterator.FetchAll()

# Check if any users were found
if ($searchResults.Count -gt 0) {
    # User with HA SAM Account Name exists
    $Context.LogMessage("Selected User's HA Secondary Account Username Exists......Proceeding.", "Information")
} else {
 # User with HA SAM Account Name does not exist
    $Context.LogMessage("Selected User's Secondary SAM Account Username DOES NOT Exist......Cancelling Operation.", "Information")
}

Now the execution log is always showing that the username exists when it doesn't. If I change the results paramater to "$searchResults.Count -eq 1" (Cause there should only be 1 Valid Result that finds the account matching the $userHAAccount Value as the SAM Account Name), the output is always that the account username doesn't exist when it does. Perhaps I need to specify that I need the search result to return an account matching that Sam Account name, but I cannot see what I am missing.

I can verify that Adaxes is searching by the right thing because I had it write to the execution log "Selected User's Secondary SAM Account Username should be $userHAAccount....Checking to ensure the User Exists Before Proceeding." and it would properly display the expected SAM Account Name.

All users in the directory follow a strict naming scheme where they MUST have their Secondary Account with "A." starting out as the username with the next part always matching the users primary SAM. So, Mike Smith's Primary SAM is MSmith but Secondary account is A.MSmith. Which is what I was attempting to define in Line 12 ($userHAAccount = "A.$userSAMAccountName")

After the search results finds the account, I need the Distinguised Name put into a variable I can then plan to use to add the selected user AND the found user to some security groups. Can you possibly see what about my code is not correct? I based the script off your guide: https://www.adaxes.com/sdk/SampleScripts.SearchingUserAccounts/

All-in-all, I am trying to create a script that derives off the user selected (As this will be used in a custom command) and then determine and find the User's Secondary account (If it exists) and make a variable for it that I can then use later on in the script to add the secondary admin account to a group.

Thank You!

by (470 points)
edited by

1 Answer

0 votes
by (271k points)
selected by
Best answer

Hello,

First of all, there is no need to connect to Adaxes service and use the OpenObject method in scripts executed by Adaxes itself (in custom commands, scheduled tasks, etc.). The $Context variable has all that. The following article will be helpful: https://adaxes.com/sdk/ServerSideScripting/.

As for the script, it should look like below. In the script, the $secondaryAccount represents the secondary account found by the search.

# Search parameters
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria "user" -Expression {sAMAccountName -eq "A.%sAMAccountName%"}
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.VirtualRoot = $True
$searcher.SizeLimit = 1

try
{
    # Execute search
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()

    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Selected User's Secondary SAM Account Username DOES NOT Exist......Cancelling Operation.", "Information")
        return
    }
    else
    {
        $secondaryAccount = $Context.BindToObjectBySearchResult($searchResults[0])
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

Related questions

0 votes
1 answer

base dn: OU=Users,DC=domain,DC=com then we have sub OU's like OU=Department,OU=Users,DC=domain,DC=com and OU=Site,OU=Department,Dc=domain,dc=com i would like to filter all the users inside base dn.

asked Feb 21, 2023 by dppankib (20 points)
0 votes
1 answer

I know it is based on an attribute held in adaxes. What info does adaxes look at to determine the date? Just want to understand how the cake is baked.

asked Dec 26, 2022 by mightycabal (1.0k points)
0 votes
1 answer

Hi Currently we have an Adaxes system set up for our Service Desk staff to log into and manage users / groups etc this is currently assigned by assigning the Service ... there be any limiting factors such as licencing requirements for this? Thanks in advance.

asked Dec 15, 2020 by R_C (70 points)
0 votes
1 answer

As Always thank you guys for such an excellent product, I have could not have so few IT admins for such a large organization as I do without this tool. As they say it ... of "User Self Service" and their role's visibility or should I be doing something else?

asked Mar 15, 2016 by strikk (360 points)
0 votes
1 answer

We have internal AD that syncs to o365 via Azure AD Connect. It is not a hybrid environment; there is no Exchange on site. I am trying to find the best way to use Adaxes to ... so I am not sure the best way to handle that. Thanks for any help you can provide.

asked Apr 15, 2020 by Jasonmh (540 points)
3,339 questions
3,040 answers
7,758 comments
544,916 users