When does Adaxes determine license counts (unmanaged/managed accounts issue)

Question

Hi all,

Just wondering when Adaxes actually determines the current unmanaged/managed user counts - is it random, scheduled, or a manual thing? Also, does it randomly re-determine the list of managed users by itself?

I ask as we have adaxes running the 'add user to unmanaged accounts list' script every 2 am, however we just got an email that the license count had been exeeded at around 7 am this morning.

Our actual license count should be around 200, and after I manually ran the script it dropped from 490 back to the expected 220. I am wondering if Adaxes is automatically re-adding users to the managed list at random, or if the script is occasionally failing to run due to the connection from Azure (where the Adaxes box is) to our on-prem environment dropping. The execution logs show the script ran successfully every night, so I am not sure here.

Cheers all.

Answer 1

Hello,

There are no default background tasks that automatically add or remove users from the unmanaged list. It can only be done manually or by a script. License validation is performed at random periods not less than once per 10 hours. During the validation, Adaxes only checks the number of managed enabled and not expired user accounts. If the number exceeds the one allowed by the license an email notification is sent. Most probably, you have two scripts for updating the list of unmanaged accounts and executing the second one results in exceeding the license. To check that, you can use the following script from our repository: https://www.adaxes.com/script-repository/search-and-replace-text-in-adaxes-scripts-s224.htm. To perform the required search via the script, you can use a command like the following:

.\MyScript.ps1 -textToSearch "SetUnmanagedAccounts"

Comments

Hi there,

It seems this may not be the case - I ran the script, and it returned a single instance of the phrase "Unmanaged Accounts" and 1 instance of "SetUnmanagedAccounts" - both within the script that reduces this number. This is the script, which is the one that runs at 2 am every day. (we do have the managedOUDN's defined, but I've redacted them for obvious reasons)

function GetUserSids($managedOuDNs, $allUnmanagedSids)
{
    $searcher = New-Object "Softerra.Adaxes.Adsi.Search.DirectorySearcher" $NULL, $False
    $searcher.SearchParameters.Filter = "(sAMAccountType=805306368)"
    $searcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SearchParameters.PageSize = 500
    $searcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.SearchParameters.VirtualRoot = $True
    $searcher.SetPropertiesToLoad(@("objectSid","distinguishedName"))

    try
    {
        $searcherResult = $searcher.ExecuteSearch()
        foreach ($user in $searcherResult.FetchAll())
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $user.Properties["distinguishedName"].Value
            $addToUnmanagedAccounts = $True
            foreach ($ouDN in $managedOuDNs)
            {
                if($userDN.IsDescendantOf($ouDN))
                {
                    $addToUnmanagedAccounts = $False
                    break
                }
            }

            if (!($addToUnmanagedAccounts))
            {
                continue
            }

            $sidBytes = $user.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)

            $allUnmanagedSids.Add($sid.Value) | Out-Null
        }
    }
    finally
    {
        $searcherResult.Dispose()
    }
}

# Create an empty hash set for SIDs of Unmanaged Accounts
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids

# Bind to the 'Configuration Set Settings' object
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

If adaxes does not reset the unmanaged accounts number on occasion, there may be some other issue (perhaps some sort of corruption or an update) that has caused the number to revert to 497, and then the script failed to change the number?

It may be easier to mark this down as a one-off failure.