Our Blog
Your questions answered
Your questions answered

Controlling Unmanaged Users in Softerra Adaxes

Overview

At times our customers want some of their Active Directory user accounts to be ignored by Adaxes service so that customers would not have to license these accounts. Most often those accounts do not represent real people or computer objects, but rather are for service accounts that run background processes or various unattended tasks.

It is not a widely known fact that this functionality is already present in Adaxes. The problem with this feature is, however, that it is rather hidden and there is no convenient user interface or command line tool to control the accounts to be excluded from being managed by Adaxes.

Following the constant demand on tooling to control Adaxes’ unmanaged accounts from our customers, we have written a set of PowerShell scripts that simplify everyday administrators' life by offering simple yet powerful command line interface for batch adding or removing accounts to be excluded from the management.


Installation

Go grab our Adaxes contribution repository on GitHub or Bitbucket. Copy these files to a convenient place (e.g. C:\Systola) on your management computer. Make sure Adaxes PowerShell module is installed.

Done!


View unmanaged users

Viewing unmanaged users is easy:

PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1
DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab
Name              : Redis Database
ObjectGUID        : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887
SID               : S-1-5-21-3484999034-4104884900-4815162342-3640
UserPrincipalName : db.redis@local.lab

You can extend the set of attributes to query with help of Properties parameter:

PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1 -Properties canonicalName,samAccountName
CanonicalName     : local.lab/Services/WebFarm/Redis Database
DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab
Name              : Redis Database
ObjectGUID        : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887
SID               : S-1-5-21-3484999034-4104884900-4815162342-3640
UserPrincipalName : db.redis@local.lab

The -AsMicrosoft switch translates output to a standard Microsoft PowerShell Object (Microsoft.ActiveDirectory.Management.ADUser) so that you can forward it further to an ActiveDirectory cmdlet of your choice.


Adding unmanaged users

To add a single user to the ignore-list use the following syntax:

PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -User db.redis

The real power, though, lies in the ability to batch add users. You can, for example, add group members:

PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Recursive

By default only direct members of the group are added. If you want to add indirect members (i.e. members of nested groups), add -Recursive switch.

You can also add members of an organizational unit using one of its identifiers, i.e. GUID or DN:

PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit 'OU=WebFarm,OU=Services,DC=local,DC=lab'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit 'OU=WebFarm,OU=Services,DC=local,DC=lab' -Subtree

Similarly to working with groups, only direct children of the organizational unit are added by default. If you want to add subtree children (i.e. children of nested OUs) you have to use the Subtree switch.

If groups and organizational units functionality in not enough for your needs you can forward your custom output to the script via pipeline:

PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Add-AdmUnmanagedAccount.ps1

Note that each of the use-cases described above support a replace mode. If you use Replace switch, the script will replace currently excluded users with the new ones:

PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Replace

Removing unmanaged users

Removing users work the same way as adding them. You can remove users individually, using a security group name or by an organizational unit identifier:

PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -User db.redis
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts'
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -OrganizationalUnit ‚OU=WebFarm,OU=Services,DC=local,DC=lab'

Removing via pipeline input is supported as well:

PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Remove-AdmUnmanagedAccount.ps1

To remove all unmanaged users use Clear-AdmUnmanagedAccount.ps1:

PS C:\Systola> Clear-AdmUnmanagedAccount.ps1

Automating unmanaged users' Management

For your convenience you can create a periodic task using either Adaxes or Windows scheduler, so that the script is executed periodically with a parameter such as, for example, a security group. Having done that you only have to add or remove your users in question to/from the security group and the scheduled task will update Adaxes configuration automatically:

Add-AdmUnmanagedAccount.ps1 -Group 'Adaxes Unmanaged Accounts' -Replace

If have questions or suggestions - let us know. We also accept pull requests to our contribution repository if you have something to share.

Kirill Kovalenko @ 11.11.2014

Other posts

.