We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Add direct members of groups to Unmanaged Accounts

June 22, 2023 Views: 5317

The script adds users who are members of specific groups to Unmanaged Accounts. When adding users, only direct membership in the groups is taken into account.

To keep the list of Unmanaged Accounts in line with changes in your directory, you need to create a scheduled task configured for the Domain object type that runs the script and assign it over any of your managed domains.

Parameters:

  • $groupDNs - Specifies the distinguished names (DNs) of the groups whose members will be added to Unmanaged Accounts.
  • $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged with members of the groups or add the members to the existing Unmanaged Accounts list.
  • $excludeUserDNs - Specifies the distinguished names (DNs) of the user accounts that should not be added to the unmanaged accounts list even if they are direct members of the groups specified in the $groupDNs variable. If all group members should be added to the list, leave the array empty.
Edit Remove
PowerShell
$groupDNs = @(
    "CN=My Group 1,CN=Users,DC=domain,DC=com", 
    "CN=My Group 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

# Get members
$guidsToSearch = New-Object System.Collections.ArrayList
foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDN($groupDN)
    try
    {
        $guidInBytes = $group.GetEx("adm-DirectMembersGuid")
    }
    catch
    {
        continue
    }
    $guidsToSearch.AddRange($guidInBytes)
}

# Create search
$searcher = $Context.CreateGuidBasedSearcher($guidsToSearch.ToArray())

# Add criteria to exclude specific users
$criteria = New-AdmCriteria "user" {accountDisabled -eq $false -and accountExpires -expired $false}
$membershipCriteria = $criteria.CreateCompound()
$membershipCriteria.SetLogicalOperator("OR")
foreach ($dn in $excludeUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}
$searcher.AddCriteria($criteria)

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
    foreach ($searchResult in $searchResults)
    {
        $sidBytes = $searchResult.Properties["objectSid"].Value
        $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
        [void]$allUnmanagedSids.Add($sid.Value)
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

# Add users to unmanaged accounts
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers