Script repository

Disenroll users affected by specific password self-service policy

Updated on: Jan 18, 2026, Views: 2891

Password self-service

The script disenrolls users affected by a specific password self-service policy. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

In the script, the $policyName variable specifies the name of the password self-service policy you need.

$policyName = "My Policy" # TODO: modify me

# Search parameters
$configurationContainerPath = $Context.GetWellKnownContainerPath("PasswordSelfServicePolicies")
$policySearcher = $Context.BindToObject($configurationContainerPath)
$policySearcher.Criteria = New-AdmCriteria "adm-PasswordSelfServicePolicy" -Expression {name -eq $policyName}
$policySearcher.SearchScope = "ADS_SCOPE_SUBTREE"
$policySearcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$policySearcher.PageSize = 500

try
{
    # Execute search
    $policySearchResultIterator = $policySearcher.ExecuteSearch()
    $searchResults = $policySearchResultIterator.FetchAll()
   
    if ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one policy with name '$policyName'.", "Warning")
        return
    }
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Password Self-Service Policy '$policyName' does not exist.", "Error")
        return
    }
    
    $policyPath = $searchResults[0].AdsPath
}
finally
{
    # Release resources
    $policySearchResultIterator.Dispose()
}

# Bind to the policy.
$policy = $Context.BindToObject($policyPath)

# Get all affected users.
$affectedObjectSeacher = $policy.FindAffectedUsers()
$affectedObjectSeacher.PageSize = 500
$affectedObjectSeacher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    $searchResultIterator = $affectedObjectSeacher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    foreach ($searchResult in $searchResults)
    {
        # Disenroll user
        $user = $Context.BindToObject($searchResult.AdsPath)
        if ($user.IsEnrolled)
        {
            $user.DisenrollUser()
        }
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.