Controlling Unmanaged Users in Softerra Adaxes
At times our customers want some of their Active Directory user accounts to be ignored by Adaxes service so that customers would not have to license these accounts. Most often those accounts do not represent real people or computer objects, but rather are for service accounts that run background processes or various unattended tasks.
It is not a widely known fact that this functionality is already present in Adaxes. The problem with this feature is, however, that it is rather hidden and there is no convenient user interface or command line tool to control the accounts to be excluded from being managed by Adaxes.
Following the constant demand on tooling to control Adaxes unmanaged accounts from our customers, we have written a set of PowerShell scripts that simplify everyday administrators' life by offering simple yet powerful command line interface for batch adding or removing accounts to be excluded from the management.
Go grab our Adaxes contribution repository on GitHub or Bitbucket. Copy these files to a convenient place (e.g. C:\Systola) on your management computer. Make sure Adaxes PowerShell module is installed.
Viewing unmanaged users is easy:
PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1 DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab Name : Redis Database ObjectGUID : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887 SID : S-1-5-21-3484999034-4104884900-4815162342-3640 UserPrincipalName : firstname.lastname@example.org
You can extend the set of attributes to query with help of Properties parameter:
PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1 -Properties canonicalName,samAccountName CanonicalName : local.lab/Services/WebFarm/Redis Database DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab Name : Redis Database ObjectGUID : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887 SID : S-1-5-21-3484999034-4104884900-4815162342-3640 UserPrincipalName : email@example.com
The -AsMicrosoft switch translates output to a standard Microsoft PowerShell Object (Microsoft.ActiveDirectory.Management.ADUser) so that you can forward it further to an ActiveDirectory cmdlet of your choice.
To add a single user to the ignore-list use the following syntax:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -User db.redis
The real power, though, lies in the ability to batch add users. You can, for example, add group members:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Recursive
By default only direct members of the group are added. If you want to add indirect members (i.e. members of nested groups), add -Recursive switch.
You can also add members of an organizational unit using one of its identifiers, i.e. GUID or DN:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit 'OU=WebFarm,OU=Services,DC=local,DC=lab'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit 'OU=WebFarm,OU=Services,DC=local,DC=lab' -Subtree
Similarly to working with groups, only direct children of the organizational unit are added by default. If you want to add subtree children (i.e. children of nested OUs) you have to use the Subtree switch.
If groups and organizational units functionality in not enough for your needs you can forward your custom output to the script via pipeline:
PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Add-AdmUnmanagedAccount.ps1
Note that each of the use-cases described above support a replace mode. If you use Replace switch, the script will replace currently excluded users with the new ones:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Replace
Removing users work the same way as adding them. You can remove users individually, using a security group name or by an organizational unit identifier:
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -User db.redis PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -OrganizationalUnit OU=WebFarm,OU=Services,DC=local,DC=lab'
Removing via pipeline input is supported as well:
PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Remove-AdmUnmanagedAccount.ps1
To remove all unmanaged users use Clear-AdmUnmanagedAccount.ps1:
PS C:\Systola> Clear-AdmUnmanagedAccount.ps1
For your convenience you can create a periodic task using either Adaxes or Windows scheduler, so that the script is executed periodically with a parameter such as, for example, a security group. Having done that you only have to add or remove your users in question to/from the security group and the scheduled task will update Adaxes configuration automatically:
Add-AdmUnmanagedAccount.ps1 -Group 'Adaxes Unmanaged Accounts' -Replace
If have questions or suggestions - let us know. We also accept pull requests to our contribution repository if you have something to share.