The script adds enabled and not expired guest users located in particular Organizational Units to unmanaged accounts. To execute the script, create a scheduled task configured for the Domain object type and assign it over any of your managed domains.
Parameters:
- $ouDNs - Specifies distinguished names (DNs) of the Organizational Units guest users located in which will be added to unmanaged accounts. For information on how to get an object DN, see Get the DN of a directory object.
- $replaceCurrentlyUnmanagedAccounts - Specifies whether to replace the accounts that are currently unmanaged or add the guest users located in the specified OUs to the existing list.
- $excludeUserDNs - Specifies distinguished names (DNs) of the users that should not be added to the unmanaged accounts list even if they are located in the specified OUs. If all child objects of the OUs should be added to the list, leave the array empty.
PowerShell
$ouDNs = @(
"OU=Unmanaged Accounts 1,DC=example,DC=com",
"OU=Unmanaged Accounts 2,DC=example,DC=com") # TODO: modify me
$excludeUserDNs = @(
"CN=My User 1,CN=Users,DC=domain,DC=com",
"CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$replaceCurrentlyUnmanagedAccounts = $False # TODO: modify me
function GetUserSids($ouDNs, $criteria, $allUnmanagedSids)
{
foreach ($ouDN in $ouDNs)
{
# Find enabled and not expired users within the OU
$searcher = $Context.BindToObjectByDN($ouDN)
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.Criteria = $criteria
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectSid"))
try
{
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
foreach ($searchResult in $searchResults)
{
$sidBytes = $searchResult.Properties["objectSid"].Value
$sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
[void]$allUnmanagedSids.Add($sid.Value)
}
}
finally
{
# Release resources
$searchResultIterator.Dispose()
}
}
}
# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False -and guest -eq $True}
foreach ($dn in $excludeUserDNs)
{
$criteria["user"].Add({distinguishedName -ne $dn})
}
# Get SIDs of all users located in the OUs
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
GetUserSids $ouDNs $criteria $allUnmanagedSids
# Add users to unmanaged accounts
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)
if (!$replaceCurrentlyUnmanagedAccounts)
{
# Fetch user accounts that are already unmanaged
$currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
$currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}
# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))