query user in trusting domain

Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.

My computer is in one domain but I am trying to run the query against users in a trusting domain.  

Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
 	.SYNOPSIS
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .DESCRIPTION
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .PARAMETER  CsvFilePath
		Specifies the path you want to import csv files.
    .EXAMPLE
        C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv

		This command will list all active directory user SamAccount Name info.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]$CsvFilePath
    )

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }
}

Open in new window



When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.

$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window



I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:

$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window


 However when I add the "-Server" parameter I get the following error:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
carbonbaseAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joshua GrantomSenior Systems AdministratorCommented:
Is it a 2 way or 1 way trust? If a 1 way, which direction? Do you have a secondary zone with zone transfers enabled?

It looks like its giving an error because it cannot find mydomain.com.

can you ping mydomain.com?
0
Miguel Angel Perez MuñozCommented:
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
carbonbaseAuthor Commented:
its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query.  I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.  

I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:

Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1:56 char:35
+                 $SamAccountName = Get-ADUser -Server mydomain.com -Filter{  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Joshua GrantomSenior Systems AdministratorCommented:
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
0
carbonbaseAuthor Commented:
Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain.  Is it possible to pass the credentials in the script?
0
carbonbaseAuthor Commented:
Ok I just need to add the -Credential parameter to Get-ADUser.  Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
0
Joshua GrantomSenior Systems AdministratorCommented:
You can use this but it is not safe to keep your password in plain text file.

[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = '' 

$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

Open in new window


then pass you credentials like

Get-ADUser -credential $objCred

Open in new window

0
carbonbaseAuthor Commented:
I'm now getting the following error:

Cannot convert the "" value of type "System.String" to type "System.Security.SecureString".
0
Joshua GrantomSenior Systems AdministratorCommented:
You are aware that your script above is a function?
0
Joshua GrantomSenior Systems AdministratorCommented:
Try this instead, It is not in a function anymore.

Import-Module ActiveDirectory

[object] $objCred = $null
[string] $strUser = 'YOURDOMAIN\YOURUSERNAME'
[System.Security.SecureString] $strPass = '' 


$strPass = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

#Change to your list of Users
$CsvFilePath = "C:\UserList.csv"

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} -Credential $objCred |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
carbonbaseAuthor Commented:
Hi sorry for not getting back sooner, that worked thanks very much!  Still not thrilled about putting my password in a script in clear text.  Fortunately I can use Get-Credential as I intend to run this script manually e.g.

 $MyCredentials = Get-Credential

$objCred = New-Object -TypName System.Management.Automation.PSCredential -ArgumentList ($MyCredentials)
0
Joshua GrantomSenior Systems AdministratorCommented:
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.

Shift+Right Click Powershell icon > Run as different user, then put in other domain creds

OTHERDOMAIN\Username
Password
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.