Script repository

Add guest users located in specific Organizational Units to unmanaged accounts

Updated on: Jan 18, 2026, Views: 4460

Unmanaged accounts

The script adds enabled and not expired guest users located in particular Organizational Units to unmanaged accounts. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $ouDNs - distinguished names (DNs) of the Organizational Units guest users located in which will be added to unmanaged accounts. For information on how to get the DN of a directory object, see Get the DN of a directory object.
  • $replaceCurrentlyUnmanagedAccounts - if set to $true the accounts gathered by the script will fully replace the current unmanaged list. If set to $false the accounts gathered by the script will be added to the existing list.
  • $excludeUserDNs - distinguished names (DNs) of the users that should not be added to the unmanaged accounts list even if they are located in the specified OUs. If all child objects of the OUs should be added to the list, leave the array empty.
$ouDNs = @(
    "OU=Unmanaged Accounts 1,DC=example,DC=com",
    "OU=Unmanaged Accounts 2,DC=example,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $False # TODO: modify me

function GetUserSids($ouDNs, $criteria, $allUnmanagedSids)
{
    foreach ($ouDN in $ouDNs)
    {
        # Find enabled and not expired users within the OU.
        $searcher = $Context.BindToObjectByDN($ouDN)
        $searcher.PageSize = 500
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.Criteria = $criteria
        $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
        $searcher.SetPropertiesToLoad(@("objectSid"))
        
        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
            
            foreach ($searchResult in $searchResults)
            {
                $sidBytes = $searchResult.Properties["objectSid"].Value
                $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
                [void]$allUnmanagedSids.Add($sid.Value)                
            }
        }
        finally
        {
            # Release resources
            $searchResultIterator.Dispose()
        }
    }
}

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False -and guest -eq $True}
foreach ($dn in $excludeUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users located in the OUs.
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
GetUserSids $ouDNs $criteria $allUnmanagedSids

# Add users to unmanaged accounts.
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged.
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.