Script repository

Add direct members of groups to unmanaged accounts

Updated on: Jan 18, 2026, Views: 8895

Unmanaged accounts

The script adds enabled and not expired users who are members of specific groups to the unmanaged accounts list. When adding users, only direct membership in the groups is taken into account. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $groupDNs - the distinguished names (DNs) of the groups whose members will be added to the unmanaged accounts list. For information on how to get the DNs, see Get the DN of a directory object.
  • $replaceCurrentlyUnmanagedAccounts - If set to $true the accounts gathered by the script will fully replace the current unmanaged list. If set to $false the accounts gathered by the script will be added to the existing list.
  • $excludeUserDNs - the distinguished names (DNs) of the user accounts that should not be added to the unmanaged accounts list even if they are direct members of the groups specified in the $groupDNs variable. If all group members should be added to the list, leave the array empty.
$groupDNs = @(
    "CN=My Group 1,CN=Users,DC=domain,DC=com", 
    "CN=My Group 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

# Get group members.
$guidsToSearch = New-Object System.Collections.ArrayList
foreach ($groupDN in $groupDNs)
{
    $group = $Context.BindToObjectByDN($groupDN)
    try
    {
        $guidInBytes = $group.GetEx("adm-DirectMembersGuid")
    }
    catch
    {
        continue
    }
    $guidsToSearch.AddRange($guidInBytes)
}

# Create search
$searcher = $Context.CreateGuidBasedSearcher($guidsToSearch.ToArray())
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

# Add criteria to exclude specific users.
$criteria = New-AdmCriteria "user" {accountDisabled -eq $false -and accountExpires -expired $false}
$membershipCriteria = $criteria.CreateCompound()
$membershipCriteria.SetLogicalOperator("OR")
foreach ($dn in $excludeUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}
$searcher.AddCriteria($criteria)

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
    foreach ($searchResult in $searchResults)
    {
        $sidBytes = $searchResult.Properties["objectSid"].Value
        $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
        [void]$allUnmanagedSids.Add($sid.Value)
    }
}
finally
{
    # Release resources.
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

# Add users to unmanaged accounts.
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged.
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.