Script repository

Add users located in specific Organizational Units to unmanaged accounts

Updated on: Jan 18, 2026, Views: 9715

Unmanaged accounts

The scripts add enabled and not expired users located in specific Organizational Units to the unmanaged accounts list. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Script 1: Specify Organizational Units directly in the script

Parameter

  • $ouDNs - the distinguished names (DNs) of the Organizational Units. Users located in the OUs will be added to the unmanaged accounts list. For information on how to get the DN of a directory object, see Get the DN of a directory object.
  • $replaceCurrentlyUnmanagedAccounts - if set to $true the accounts gathered by the script will fully replace the current unmanaged list. If set to $false the accounts gathered by the script will be added to the existing list.
  • $excludeUserDNs - distinguished names (DNs) of users that should not be added to the unmanaged accounts list even if they are located in the specified OUs. If all child objects of the OUs should be added to the list, leave the array empty.
$ouDNs = @(
    "OU=Unmanaged Accounts 1,DC=example,DC=com",
    "OU=Unmanaged Accounts 2,DC=example,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

function GetUserSids($ouDNs, $criteria, $allUnmanagedSids)
{
    foreach ($ouDN in $ouDNs)
    {
        # Find enabled and not expired users within the OU.
        $searcher = $Context.BindToObjectByDN($ouDN)
        $searcher.PageSize = 500
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.Criteria = $criteria
        $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
        $searcher.SetPropertiesToLoad(@("objectSid"))
        
        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
            
            foreach ($searchResult in $searchResults)
            {
                $sidBytes = $searchResult.Properties["objectSid"].Value
                $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
                [void]$allUnmanagedSids.Add($sid.Value)
            }
        }
        finally
        {
            # Release resources.
            $searchResultIterator.Dispose()
        }
    }
}

# Build criteria.
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
foreach ($dn in $excludeUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Get SIDs of all users located in the OUs.
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
GetUserSids $ouDNs $criteria $allUnmanagedSids

# Add users to unmanaged accounts.
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged.
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Script 2: Import Organizational Units from CSV

Parameters

  • $csvFilePath - the path to the CSV file that contains distinguished names (DNs) of the OUs. Users located in the OUs will be added to the unmanaged accounts list. For information on how to get the DN of a directory object, see Get the DN of a directory object.
  • $ouDNColumnName - the header of the CSV column that contains the OU DNs.
$csvFilePath = "\\Server\Share\OrganizationalUnits.csv" # TODO: modify me
$ouDNColumnName = "DistinguishedName" # TODO: modify me

function GetUserSids($ouDNs)
{
    foreach ($ouDN in $ouDNs)
    {
        # Find enabled and not expired users within the OU.
        $searcher = $Context.BindToObjectByDN($ouDN)
        $searcher.PageSize = 500
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $currentDate = (Get-Date).ToFileTime()
        $searcher.Criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}
        $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
        $searcher.SetPropertiesToLoad(@("objectSid"))

        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
            
            # Get the SID of each user.
            foreach ($searchResult in $searchResults)
            {
                $sidBytes = $searchResult.Properties["objectSid"].Value
                $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    
                [void]$userSids.Add($sid.ToString())
            }
        }
        finally
        {
            # Release resources.
            if ($searchResultIterator){ $searchResultIterator.Dispose() }
        }
    }
}

# Import CSV
$records = Import-Csv -Path $csvFilePath -ErrorAction Stop

# Get OU DNs.
$ouDNs = $records | %%{$_.$ouDNColumnName}
if ($ouDNs -eq $NULL)
{
    return
}

# Get user SIDs.
$userSids = New-Object "System.Collections.Generic.HashSet[String]"
GetUserSids $ouDNs

# Update the list of Unmanaged Accounts.
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$admConfigurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

$admConfigurationSetSettings.SetUnmanagedAccounts(@($userSids))

Script 3: For external execution

This version of the script must be executed in Windows PowerShell on the computer where Adaxes service runs. To execute the script, log in to the computer with the credentials of the Adaxes service account.

Parameters

  • $ouDNs - the distinguished names (DNs) of the Organizational Units. Users located in the OUs will be added to the unmanaged accounts list. For information on how to get the DN of a directory object, see Get the DN of a directory object.
  • $replaceCurrentlyUnmanagedAccounts - If set to $true the accounts gathered by the script will fully replace the current unmanaged list. If set to $false the accounts gathered by the script will be added to the existing list.
Import-Module Adaxes

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace" 
$admService = $admNS.GetServiceDirectly("localhost")

$ouDNs = @(
    "OU=Unmanaged Accounts 1,DC=example,DC=com",
    "OU=Unmanaged Accounts 2,DC=example,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

function GetUserSids($ouDNs, $criteria, $allUnmanagedSids)
{
    foreach ($ouDN in $ouDNs)
    {
        # Find enabled and not expired users within the OU.
        $searcher = $admService.OpenObject("Adaxes://$ouDN", $NULL, $NULL, 0)
        $searcher.PageSize = 500
        $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
        $searcher.Criteria = $criteria
        $searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
        $searcher.SetPropertiesToLoad(@("objectSid"))
        
        try
        {
            $searchResultIterator = $searcher.ExecuteSearch()
            $searchResults = $searchResultIterator.FetchAll()
            
            foreach ($searchResult in $searchResults)
            {
                $sidBytes = $searchResult.Properties["objectSid"].Value
                $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
                [void]$allUnmanagedSids.Add($sid.Value)
            }
        }
        finally
        {
            # Release resources
            $searchResultIterator.Dispose()
        }
    }
}

# Build criteria
$criteria = New-AdmCriteria -Type "user" -Expression {accountDisabled -eq $False -and accountExpires -expired $False}

# Get SIDs of all users located in the OUs.
$allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
GetUserSids $ouDNs $criteria $allUnmanagedSids

# Bind to the 'Configuration Set Settings' container.
$configurationSetSettingsPath = $admService.Backend.GetConfigurationContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $admService.OpenObject($configurationSetSettingsPath, $NULL, $NULL, 0)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged.
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 2

You must be signed in to comment.

  • Stuart Wilkinson

    Stuart Wilkinson

    Hi,
    I've attempted to run this script multiple times but instead it seem to reset my unmanaged user list.

    • Support

      Support

      Hello Stuart,

      That is generally impossible. The scripts only update the unmanaged accounts list. It does not make any changes in AD. For troubleshooting purposes, please, send all the details about the workflow you configured for running the script to support@adaxes.com.

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.