Solved

query user in trusting domain

Posted on 2014-10-28
12
854 Views
Last Modified: 2014-11-06
Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.

My computer is in one domain but I am trying to run the query against users in a trusting domain.  

Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
 	.SYNOPSIS
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .DESCRIPTION
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .PARAMETER  CsvFilePath
		Specifies the path you want to import csv files.
    .EXAMPLE
        C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv

		This command will list all active directory user SamAccount Name info.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]$CsvFilePath
    )

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }
}

Open in new window



When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.

$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window



I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:

$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window


 However when I add the "-Server" parameter I get the following error:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
0
Comment
Question by:carbonbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408443
Is it a 2 way or 1 way trust? If a 1 way, which direction? Do you have a secondary zone with zone transfers enabled?

It looks like its giving an error because it cannot find mydomain.com.

can you ping mydomain.com?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40408531
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
 

Author Comment

by:carbonbase
ID: 40408729
its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query.  I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.  

I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:

Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1:56 char:35
+                 $SamAccountName = Get-ADUser -Server mydomain.com -Filter{  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408745
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
0
 

Author Comment

by:carbonbase
ID: 40408785
Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain.  Is it possible to pass the credentials in the script?
0
 

Author Comment

by:carbonbase
ID: 40408834
Ok I just need to add the -Credential parameter to Get-ADUser.  Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408854
You can use this but it is not safe to keep your password in plain text file.

[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = '' 

$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

Open in new window


then pass you credentials like

Get-ADUser -credential $objCred

Open in new window

0
 

Author Comment

by:carbonbase
ID: 40412893
I'm now getting the following error:

Cannot convert the "" value of type "System.String" to type "System.Security.SecureString".
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40413151
You are aware that your script above is a function?
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40413160
Try this instead, It is not in a function anymore.

Import-Module ActiveDirectory

[object] $objCred = $null
[string] $strUser = 'YOURDOMAIN\YOURUSERNAME'
[System.Security.SecureString] $strPass = '' 


$strPass = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

#Change to your list of Users
$CsvFilePath = "C:\UserList.csv"

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} -Credential $objCred |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40425854
Hi sorry for not getting back sooner, that worked thanks very much!  Still not thrilled about putting my password in a script in clear text.  Fortunately I can use Get-Credential as I intend to run this script manually e.g.

 $MyCredentials = Get-Credential

$objCred = New-Object -TypName System.Management.Automation.PSCredential -ArgumentList ($MyCredentials)
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40426199
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.

Shift+Right Click Powershell icon > Run as different user, then put in other domain creds

OTHERDOMAIN\Username
Password
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question