The script disenrolls users affected by a specific Password Self-Service Policy. To be able to disenroll users on demand, create a custom command for the Domain-DNS object type that runs the script. To disenroll users on a certain schedule, create a scheduled task that runs the script on a certain schedule.
Parameter:
- $policyName - Specifies the name of the Password Self-Service Policy you need.
PowerShell
$policyName = "My Policy" # TODO: modify me
# Find the Password Self-Service Policy
$configurationContainerPath = $Context.GetWellKnownContainerPath("PasswordSelfServicePolicies")
$policySearcher = $Context.BindToObject($configurationContainerPath)
$policySearcher.SearchFilter = "(&(objectCategory=adm-PasswordSelfServicePolicy)(name=$policyName))"
$policySearcher.SearchScope = "ADS_SCOPE_SUBTREE"
$policySearcher.PageSize = 500
try
{
$policySearchResultIterator = $policySearcher.ExecuteSearch()
$searchResults = $policySearchResultIterator.FetchAll()
if ($searchResults.Length -gt 1)
{
$Context.LogMessage("Found more than one policy with name '$policyName'.", "Warning")
return
}
if ($searchResults.Length -eq 0)
{
$Context.LogMessage("Password Self-Service Policy '$policyName' does not exist.", "Error")
return
}
$policyPath = $searchResults[0].AdsPath
}
finally
{
# Release resources
$policySearchResultIterator.Dispose()
}
# Bind to the policy
$policy = $Context.BindToObject($policyPath)
# Get all affected users
$affectedObjectSeacher = $policy.FindAffectedUsers()
$affectedObjectSeacher.PageSize = 500
$affectedObjectSeacher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
try
{
$searchResultIterator = $affectedObjectSeacher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
foreach ($searchResult in $searchResults)
{
# Bind to the user
$user = $Context.BindToObject($searchResult.AdsPath)
if ($user.IsEnrolled)
{
$user.DisenrollUser()
}
}
}
finally
{
# Release resources
$searchResultIterator.Dispose()
}