Script repository

Add users that are not members of groups to the unmanaged list

Updated on: Jan 18, 2026, Views: 5188

Unmanaged accounts, Group membership

The script adds users who are not members of specific groups to the unmanaged list. When adding users, only direct membership in the groups is taken into account. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

Parameters

  • $groupDNs - the distinguished names (DNs) of the groups whose members will not be added to the unmanaged list. For information on how to get the DNs, see Get the DN of a directory object.
  • $replaceCurrentlyUnmanagedAccounts - set to $true for the script to replace the current unmanaged list with the users found. If set to $false, the list will be apended.
  • $excludeUserDNs - the distinguished names (DNs) of the user accounts that should not be added to the unmanaged accounts list even if they are not members of the groups specified in the $groupDNs variable. Leave the array empty to add all users that are not members of the groups to the unmanaged accounts list.
$groupDNs = @(
    "CN=My Group 1,CN=Users,DC=domain,DC=com", 
    "CN=My Group 2,CN=Users,DC=domain,DC=com") # TODO: modify me
$excludeUserDNs = @(
    "CN=My User 1,CN=Users,DC=domain,DC=com",
    "CN=My User 2,CN=Users,DC=domain,DC=com") # TODO: modify me

$replaceCurrentlyUnmanagedAccounts = $True # TODO: modify me

# Build criteria to find users who are not members of the specified groups.
$criteria = New-AdmCriteria "user" {accountDisabled -eq $false -and accountExpires -expired $false}
foreach ($dn in $groupDNs)
{
    $criteria["user"].Add({directMemberOf -ne $dn})
}

# Add criteria to exclude specific users.
foreach ($dn in $excludeUserDNs)
{
    $criteria["user"].Add({distinguishedName -ne $dn})
}

# Find users and get their SIDs.
$searcher = $Context.BindToObject("Adaxes://rootDse")
$searcher.Criteria = $criteria
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$searcher.SetPropertiesToLoad(@("objectSid"))
$searcher.VirtualRoot = $True

try
{
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    
    $allUnmanagedSids = New-Object "System.Collections.Generic.HashSet[String]"
    foreach ($searchResult in $searchResults)
    {
        $sidBytes = $searchResult.Properties["objectSid"].Value
        $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
        [void]$allUnmanagedSids.Add($sid.Value)
    }
}
finally
{
    # Release resources
    if ($searchResultIterator){ $searchResultIterator.Dispose() }
}

# Add users to unmanaged list.
$configurationSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configurationSetSettings = $Context.BindToObject($configurationSetSettingsPath)

if (!$replaceCurrentlyUnmanagedAccounts)
{
    # Fetch user accounts that are already unmanaged.
    $currentUnmanagedAccounts = $configurationSetSettings.GetUnmanagedAccounts(@())
    $currentUnmanagedAccounts | %%{[void]$allUnmanagedSids.Add($_.Key)}
}

# Save changes
$configurationSetSettings.SetUnmanagedAccounts(@($allUnmanagedSids))

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.