0 votes

For licensing purposes is it possible to restrict users displayed in Adaxes based on an OU rather than individual accounts?

by (520 points)

1 Answer

0 votes
by (216k points)

Hello,

There is no support for such functionality in the user interface, but you can do this with PowerShell scripts. For example, you can create a PowerShell script that will add users from specific OUs to unmanaged accounts. Then, you can use this script in a Scheduled Task using the Run a program or PowerShell script action to launch it automatically so that if you add/remove users from the OUs that you specify, corresponding changes would be made to the list of unmanaged accounts automatically.

To implement such a solution:

  1. Create a new Scheduled Task.

  2. On the 3rd step of the Create Scheduled Task wizard, select the Show all object types option.

  3. Select the Domain-DNS object type.

  4. On the 4th step of the wizard, add the Run a program or PowerShell script action and paste the following script in the script field.

     $ouDNs = @("OU=MAC Auth Accounts,OU=IT,DC=company,DC=com") # TODO: modify me
    
     function GetUserSids($ouDNs)
     {
         $userSids = New-Object "System.Collections.Generic.List[String]"
    
         foreach ($ouDN in $ouDNs)
         {
             $ou = $Context.BindToObjectByDN($ouDN)
    
             $userSearcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
             $userSearcher.SearchParameters.BaseObjectPath = $ou.AdsPath
             $userSearcher.SearchParameters.PageSize = 500
             $userSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
             $userSearcher.SearchParameters.Filter = "(&(objectCategory=person)(objectClass=user))"
             $userSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
             $userSearcher.SetPropertiesToLoad(@("objectSid"))
    
             $searcherResult = $userSearcher.ExecuteSearch()
    
             foreach ($user in $searcherResult.FetchAll())
             {
                 $sidBytes = $user.Properties["objectSid"].Value
                 $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    
                 $userSids.Add($sid.ToString()) | Out-Null
             }
          }
    
          return ,$userSids
     }
    
     $userSids = GetUserSids $ouDNs
    
     $configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
     $admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
    
     $admConfigurationSetSettings.SetUnmanagedAccounts(@($userSids))
    
  5. In the script, ouDNs specifies a list of Distinguished Names (DNs) of the OUs, users from which should be added to unmanaged accounts. Specify the OUs you don't want to manage.

  6. Add a short description for the script and click OK.

  7. On the 5th step, assign the Scheduled Task over any of your domains.

  8. Click Finish.

Also, you can take a look at the sample scripts in Adaxes SDK: http://adaxes.com/sdk/?SampleScripts.Co ... ounts.html.

0

Probably replace the entire list, right? We'll want to automate this to repopulate the list once a month (or whatever), and as users are provisioned / deprovisioned the simplest fix is probably to just redo the list each time, I assume.

Thank you!

0

Hello,

We've added the script to our Script Repository. See the following page, the script entitled Import Organizational Units from CSV: http://www.adaxes.com/script-repository ... htm#import.

0

Great, I'll test it out. Thanks!

0

I've tested and am unable to get the script to run via the Adaxes powershell on Windows Server 2016. I get the following error:

%% : The term '%%' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:43 char:21
+ $ouDNs = $records | %%{$_.$ouDNColumnName}
+ ~~
+ CategoryInfo : ObjectNotFound: (%%:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

I'm unsure what the double % is (I'm not very knowledgeable about scripting), but I assume it's just a typo and it's supposed to be a single %, meaning 'foreach'?

Under that assumption I dropped one of the %s and reran the script, which generated a (different) host of errors, some as shown below:

You cannot call a method on a null-valued expression.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:9 char:9
+ $searcher = $Context.BindToObjectByDN($ouDN)
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

The property 'PageSize' cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:10 char:9
+ $searcher.PageSize = 500
+ ~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

The property 'SearchScope' cannot be found on this object. Verify that the property exists and can be set.
At C:\Users\user\Desktop\UnlicensingCSV.ps1:11 char:9
+ $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyNotFound

Have you been able to run this successfully? Am I missing a module or something? The values in my CSV look normal (I got them by running an export of our AD structure with this commandlet)

Get-ADOrganizationalUnit -filter * | select Name,DistinguishedName | Export-csv OUs.csv -NoTypeInformation

Thanks for the assistance.

0

Hello,

The script is using the Context variable and can be executed only in Business Rules, Scheduled Tasks and Custom Commands. You can create a Custom Command configured for Domain-DNS Object type to update the Unmanaged Accounts list on demand. For information on how to create a Custom Command, have a look at the following tutorial: http://www.adaxes.com/tutorials_ActiveD ... ommand.htm.

To schedule updating the Unmanaged Accounts list use a Scheduled Task configured for Domain-DNS Object type. To create the task, have a look at the following tutorial: http://www.adaxes.com/tutorials_Automat ... gement.htm.

Related questions

0 votes
1 answer

This is for license purposes and we do not want them visible in the Adaxes portal.

asked Oct 22, 2021 by jfrederickwl (20 points)
0 votes
1 answer

Is it possible to create a business unit and have it auto populate with group owners in a specific OU. I've tried a few scripts to get propertie adm-managedbylist but none have worked so far.

asked 5 days ago by C27 (20 points)
0 votes
1 answer

Is it possible to have Adaxes dynamically provide a list for the Offices AD property to choose based on a OU structure?

asked Aug 27, 2017 by audiblehum (50 points)
0 votes
1 answer

Hi, I would like to be able to provision my user accounts "Department" fields based on the Organizational Unit name in which the user is in. Basically I'd like to copy the ... Adaxes? ex: OU = IT Corp Name = Paul Fakename Department = IT Corp Thanks in advance

asked Nov 26, 2012 by cedricb (50 points)
0 votes
1 answer

Hi, would it be possible to achieve the following idea: Creating and updating rule based groups, based on user attributes like company? For each company value in AD, ... get all unique company values, then create a group with this company value as filter.

asked Mar 7 by wintec01 (1.5k points)
3,548 questions
3,239 answers
8,232 comments
547,814 users