Script repository

Remove non-existing objects from security role assignments

Updated on: Jan 18, 2026, Views: 2767

Security roles

The script removes non-existing objects from assignments of all security roles. Both role trustees and objects comprising assignment scopes are checked. To execute the script, create a scheduled task configured for the Domain object type and add a managed domain to the Activity Scope of the task. The domain will only be used to trigger execution of the scheduled task.

function FixRoleAssignments
{
    Param($rolePath)

    $role = $Context.BindToObject($rolePath)

    # Get security role assignments.
    $assignments = $role.Assignments
    for ($i = $assignments.Count - 1; $i -ge 0; $i--)
    {
        $assignment = $assignments.GetObject($i)
        
        # Check whether trustee exists.
        $trusteeSid = $assignment.Trustee
        if (-not([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trusteeSid)) -and
            ([Softerra.Adaxes.Adsi.Sid]::PrimaryOwnerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::ManagerSid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::SecretarySid -ne $trusteeSid) -and
            ([Softerra.Adaxes.Adsi.Sid]::AssistantSid -ne $trusteeSid))
        {
            try
            {
                $object = $Context.BindToObject("Adaxes://<SID=$trusteeSid>")
            }
            catch
            {
                $assignments.Remove($assignment)
                continue
            }
        }
        
        # Check activity scope items.
        $activityScopeItems = $assignment.ActivityScopeItems

        for ($j = $activityScopeItems.Count - 1; $j -ge 0; $j--)
        {
            $item = $activityScopeItems.GetObject($j)
            if (($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY") -and
                ($item.Type -ne "ADM_SCOPEBASEOBJECTTYPE_CONFIGURATION") -and 
                ($item.BaseObject -eq $NULL))
            {
                $assignment.ActivityScopeItems.Remove($item)
            }
        }

        if ($activityScopeItems.Count -eq 0)
        {
            # Remove assignment
            $assignments.Remove($assignment)
        }
    }
}

# Search all security roles.
$configurationContainerPath = $Context.GetWellKnownContainerPath("AccessControlRoles")
$configurationContainer = $Context.BindToObject($configurationContainerPath)
$configurationContainer.SearchFilter =  "(objectCategory=adm-Role)"
$configurationContainer.PageSize = 500
$configurationContainer.SearchScope = "ADS_SCOPE_SUBTREE"
$configurationContainer.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"

try
{
    # Execute search
    $searchResultIterator = $configurationContainer.ExecuteSearch()
    $roles = $searchResultIterator.FetchAll()
    
    foreach ($rolesID in $roles)
    {
        # Check assignments and trustees.
        FixRoleAssignments $rolesID.AdsPath
    }
}
finally
{
    # Release resources
    $searchResultIterator.Dispose()
}

Comments 2

You must be signed in to comment.

  • Mark Monaco

    Mark Monaco

    I am unable to locate the "Domain-DNS" object type even when "Show all object types" is selected. I would like to get this script implemented under our Adaxes 2023.2 install.

    • Support

      Support

      Hello Mark,

      Sorry for the confusion, the Domain-DNS object type is no longer present. You need to use the Domain object type. We updated the script description accordingly.

Got questions?

Support Questions & Answers

We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.