From the practice
Exclude users from management by Softerra Adaxes
Sometimes our customers want to have some of their Active Directory user accounts ignored by the Adaxes service so that they do not have to purchase licences for these accounts. Most of these accounts do not represent real people or computer objects, but are service accounts for background processes or other unmonitored tasks.
Kirill Kovalenko @ 11.11.2014
Follow Kirill Kovalenko on LinkedIn
Overview
Sometimes our customers want to have some of their Active Directory user accounts ignored by the Adaxes service so that they do not have to purchase licences for these accounts. Most of these accounts do not represent real people or computer objects, but are service accounts for background processes or other unmonitored tasks.
It is widely unknown that Adaxes has such functionality. The problem with this feature, however, is that it is well hidden and there is no convenient user interface or command line tool to specify which accounts should be excluded from management by Adaxes.
We have responded to customer demand for tools to control accounts not managed in Adaxes by creating a set of PowerShell scripts. These scripts provide a simple yet powerful command line interface to add and remove accounts from the Adaxes ignore list in batch mode, simplifying the administrator's daily routine.
Installation
Get our Adaxes Contribution Repository from GitHub and copy the files to a local location (e.g. C:\Systola) on your management computer. You also need to have the Adaxes PowerShell module installed for the rest of the steps.
Done!
Show unmanaged users
This way you can easily display the unmanaged users:
Sometimes our customers want to have some of their Active Directory user accounts ignored by the Adaxes service so that they do not have to purchase licences for these accounts. Most of these accounts do not represent real people or computer objects, but are service accounts for background processes or other unmonitored tasks.
It is widely unknown that Adaxes has such functionality. The problem with this feature, however, is that it is well hidden and there is no convenient user interface or command line tool to specify which accounts should be excluded from management by Adaxes.
We have responded to customer demand for tools to control accounts not managed in Adaxes by creating a set of PowerShell scripts. These scripts provide a simple yet powerful command line interface to add and remove accounts from the Adaxes ignore list in batch mode, simplifying the administrator's daily routine.
Installation
Get our Adaxes Contribution Repository from GitHub and copy the files to a local location (e.g. C:\Systola) on your management computer. You also need to have the Adaxes PowerShell module installed for the rest of the steps.
Done!
Show unmanaged users
This way you can easily display the unmanaged users:
PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1
DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab
Name : Redis Database
ObjectGUID : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887
SID : S-1-5-21-3484999034-4104884900-4815162342-3640
UserPrincipalName : db.redis@local.lab
You can use the "-Properties" parameter to define the attributes to be queried:
PS C:\Systola> .\Get-AdmUnmanagedAccount.ps1 -Properties canonicalName,samAccountName
CanonicalName : local.lab/Services/WebFarm/Redis Database
DistinguishedName : CN=Redis Database,OU=WebFarm,OU=Services,DC=local,DC=lab
Name : Redis Database
ObjectGUID : 3c4a0c4b-c5fb-420d-adf5-a64f28a1a887
SID : S-1-5-21-3484999034-4104884900-4815162342-3640
UserPrincipalName : db.redis@local.lab
The switch "-AsMicrosoft" transforms the output into a Microsoft PowerShell object (Microsoft.ActiveDirectory.Management.ADUser), which can be passed to any ActiveDirectory cmdlet.
Add unmanaged users
Use the following syntax to add a single user to the Ignore list:
Add unmanaged users
Use the following syntax to add a single user to the Ignore list:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -User db.redis
Much more interesting is the possibility to add users in batch mode. For example, you can have all members of a group added:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Recursive
By default, only direct members are added to the group. If you also want to add indirect members (i.e., members of nested groups), use the "-Recursive" switch.
You can also include all members of an organisational unit (OU) by their GUID or DN:
You can also include all members of an organisational unit (OU) by their GUID or DN:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit `
'OU=WebFarm,OU=Services,DC=local,DC=lab'
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -OrganizationalUnit `
'OU=WebFarm,OU=Services,DC=local,DC=lab' -Subtree
Just as when working with groups, only directly subordinate elements of the organisational unit are added. If you want to add a complete substructure (i.e. also the children of nested OUs), use the "-Subtree" switch.
If groups and organisational units do not give you enough flexibility, you can also pipe the script any list of users to be included:
If groups and organisational units do not give you enough flexibility, you can also pipe the script any list of users to be included:
PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Add-AdmUnmanagedAccount.ps1
Note: All described application functions support a replace mode. If you use the "-Replace" switch, the previous unmanaged users are not replaced by the new users, but replaced:
PS C:\Systola> .\Add-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts' -Replace
Remove unmanaged users
Removing users works in the same way as adding them. You can remove users individually, by security group name or by organisational unit identifier:
Removing users works in the same way as adding them. You can remove users individually, by security group name or by organisational unit identifier:
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -User db.redis
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -Group 'Database Service Accounts'
PS C:\Systola> .\Remove-AdmUnmanagedAccount.ps1 -OrganizationalUnit ‚OU=WebFarm,OU=Services,DC=local,DC=lab'
Removal via pipeline input is also supported:
PS C:\Systola> Get-ADUser -LdapFilter '(userPrincipalName=www.*)' | .\Remove-AdmUnmanagedAccount.ps1
If you want to remove all unmanaged users, use Clear-AdmUnmanagedAccount.ps1:
PS C:\Systola> Clear-AdmUnmanagedAccount.ps1
Automate the work with unmanaged users
You can simplify your work by using the Adaxes or Windows scheduler to schedule a periodic task that the script executes periodically with a parameter such as the name of a security group. Then all you have to do is add or remove the users in question from the security group, and the scheduled task will then automatically update the Adaxes configuration:
You can simplify your work by using the Adaxes or Windows scheduler to schedule a periodic task that the script executes periodically with a parameter such as the name of a security group. Then all you have to do is add or remove the users in question from the security group, and the scheduled task will then automatically update the Adaxes configuration:
Add-AdmUnmanagedAccount.ps1 -Group 'Adaxes Unmanaged Accounts' -Replace
Let us know if you have any questions or suggestions. We also accept pull requests to our Contribution Repository if you would like to contribute.