Link to home
Start Free TrialLog in
Avatar of carbonbase
carbonbaseFlag for United Kingdom of Great Britain and Northern Ireland

asked on

query user in trusting domain

Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.

My computer is in one domain but I am trying to run the query against users in a trusting domain.  

Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
 	.SYNOPSIS
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .DESCRIPTION
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .PARAMETER  CsvFilePath
		Specifies the path you want to import csv files.
    .EXAMPLE
        C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv

		This command will list all active directory user SamAccount Name info.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]$CsvFilePath
    )

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }
}

Open in new window



When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.

$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName

Open in new window



I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search: 

$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName

Open in new window


 However when I add the "-Server" parameter I get the following error:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
Is it a 2 way or 1 way trust? If a 1 way, which direction? Do you have a secondary zone with zone transfers enabled?

It looks like its giving an error because it cannot find mydomain.com.

can you ping mydomain.com?
Avatar of Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz
Flag of Spain image
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
Avatar of carbonbase
carbonbase
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query.  I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.  

I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:

Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1:56 char:35
+                 $SamAccountName = Get-ADUser -Server mydomain.com -Filter{  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
Avatar of carbonbase
carbonbase
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain.  Is it possible to pass the credentials in the script?
Avatar of carbonbase
carbonbase
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Ok I just need to add the -Credential parameter to Get-ADUser.  Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
You can use this but it is not safe to keep your password in plain text file.

[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = '' 

$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

Open in new window


then pass you credentials like

Get-ADUser -credential $objCred

Open in new window

Avatar of carbonbase
carbonbase
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

I'm now getting the following error:

Cannot convert the "" value of type "System.String" to type "System.Security.SecureString".
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
You are aware that your script above is a function?
ASKER CERTIFIED SOLUTION
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of carbonbase
carbonbase
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Hi sorry for not getting back sooner, that worked thanks very much!  Still not thrilled about putting my password in a script in clear text.  Fortunately I can use Get-Credential as I intend to run this script manually e.g.

 $MyCredentials = Get-Credential

$objCred = New-Object -TypName System.Management.Automation.PSCredential -ArgumentList ($MyCredentials)
Avatar of Joshua Grantom
Joshua Grantom
Flag of United States of America image
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.

Shift+Right Click Powershell icon > Run as different user, then put in other domain creds

OTHERDOMAIN\Username
Password