Script repository

Add users not located in certain Organizational Units to the unmanaged list

Updated on: Jan 18, 2026, Views: 8410

Unmanaged accounts

The script adds enabled and not expired user accounts not located in the specified Organizational Units to the unmanaged list. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $managedOuDNs - the distinguished names (DNs) of the Organizational Units. Users not located in the OUs will be added to the unmanaged list. For information on how to get an object DN, see Get the DN of a directory object.
  • $excludeSubOUDNs - the distinguished names (DNs) of the Organizational Units located in the OUs specified in the $managedOuDNs variable. Users located in the OUs will be added to the unmanaged list.
  • $managedUserDNs - the distinguished names (DNs) of users that will never be added to unmanaged list.
  • $managedGroupDNs - the distinguished names (DNs) of groups whose members will never be added to unmanaged list.
  • $replaceCurrentlyUnmanagedAccounts - If set to $true the accounts gathered by the script will fully replace the current unmanaged list. If set to $false the accounts gathered by the script will be added to the existing list.
$managedOuDNs = @(
    "OU=DC=adaxeslab,DC=local", 
    "OU=My OU 2,DC=domain,DC=com") # TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$managedGroupDNs = @(
    "CN=MyGroup1,OU=Groups,DC=domain,DC=com",
    "CN=MyGroup2,OU=Groups,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

foreach ($dn in $managedGroupDNs)
{
    $criteria["user"].Add({directMemberOf -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Update Unmanaged Accounts
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 2

You must be signed in to comment.

  • Noyan

    Noyan

    Hi all,

    We are using this script but with the new Adaxes Update Azure AD User are not added to the list.
    The OU is not set in the script but Azure users are not added to the list.
    The Scope is set to All Objects.
    Is it possible to add Azure and On-Prem AD users to the unmanaged list with one script?

    Thanks
    Noyan

    • Support

      Support

      Hello Noyan,

      Yes, it is possible. Use the below script. We also updated the script in the article itself. 

      $managedOuDNs = @(
    "OU=My OU 1,DC=domain,DC=com", 
    "OU=My OU 2,DC=domain,DC=com") #TODO: modify me
$excludeSubOUDNs = @(
    "OU=SubOU 1, OU=My OU 1,DC=domain,DC=com",
    "OU=SubOU 2, OU=My OU 1,DC=domain,DC=com") # TODO: modify me
$managedUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

function IsDescendantOf ($userDN, $ouDNs)
{
    $isDescendantOf = $False
    foreach ($dn in $ouDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            $isDescendantOf = $True
            break
        }
    }
    
    return $isDescendantOf
}

function GetUserSids($managedOuDNs, $allUnmanagedSids, $criteria, $excludeSubOUDNs)
{
    $searcher = $Context.TargetObject
    $searcher.Criteria = $criteria
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.PageSize = 500
    $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
    $searcher.VirtualRoot = $True

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()
        
        foreach ($searchResult in $searchResults)
        {
            $userDN = New-Object "Softerra.Adaxes.LDAP.DN" $searchResult.Properties["distinguishedName"].Value
            $sidBytes = $searchResult.Properties["objectSid"].Value
            $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
            
            if (IsDescendantOf $userDN $excludeSubOUDNs)
            {
                [void]$allUnmanagedSids.Add($sid.Value)
                continue
            }

            if (-not (IsDescendantOf $userDN $managedOuDNs))
            {
                [void]$allUnmanagedSids.Add($sid.Value)
            }
            
        }
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Create an empty hash set
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"

# Build filter
$criteria = New-AdmCriteria -Type "user"
foreach ($dn in $managedUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users who are not located under the managed OUs
GetUserSids $managedOuDNs $allUnmanagedSids $criteria $excludeSubOUDNs

# Bind to the 'Configuration Set Settings' container
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

# Update Unmanaged Accounts
$admConfigurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.