We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Disenroll users affected by specific Password Self-Service Policy

February 23, 2021 Views: 2045

The script disenrolls users affected by a specific Password Self-Service Policy. To be able to disenroll users on demand, create a custom command for the Domain-DNS object type that runs the script. To disenroll users on a certain schedule, create a scheduled task that runs the script on a certain schedule.

Parameter:

  • $policyName - Specifies the name of the Password Self-Service Policy you need.
Edit Remove
PowerShell
$policyName = "My Policy" # TODO: modify me

# Find the Password Self-Service Policy
$configurationContainerPath = $Context.GetWellKnownContainerPath("PasswordSelfServicePolicies")
$policySearcher = $Context.BindToObject($configurationContainerPath)
$policySearcher.SearchFilter = "(&(objectCategory=adm-PasswordSelfServicePolicy)(name=$policyName))"
$policySearcher.SearchScope = "ADS_SCOPE_SUBTREE"
$policySearcher.PageSize = 500

try
{
    $policySearchResultIterator = $policySearcher.ExecuteSearch()
    $searchResults = $policySearchResultIterator.FetchAll()
   
    if ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one policy with name '$policyName'.", "Warning")
        return
    }
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Password Self-Service Policy '$policyName' does not exist.", "Error")
        return
    }
    
    $policyPath = $searchResults[0].AdsPath
}
finally
{
    # Release resources
    $policySearchResultIterator.Dispose()
}

# Bind to the policy
$policy = $Context.BindToObject($policyPath)

# Get all affected users
$affectedObjectSeacher = $policy.FindAffectedUsers()
$affectedObjectSeacher.PageSize = 500
$affectedObjectSeacher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searchResultIterator = $affectedObjectSeacher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    foreach ($searchResult in $searchResults)
    {
        # Bind to the user
        $user = $Context.BindToObject($searchResult.AdsPath)
        if ($user.IsEnrolled)
        {
            $user.DisenrollUser()
        }
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}
Comments 0
Leave a comment
Loading...

Got questions?

Support Questions & Answers