?
Solved

query user in trusting domain

Posted on 2014-10-28
12
Medium Priority
?
903 Views
Last Modified: 2014-11-06
Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.

My computer is in one domain but I am trying to run the query against users in a trusting domain.  

Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
 	.SYNOPSIS
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .DESCRIPTION
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .PARAMETER  CsvFilePath
		Specifies the path you want to import csv files.
    .EXAMPLE
        C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv

		This command will list all active directory user SamAccount Name info.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]$CsvFilePath
    )

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }
}

Open in new window



When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.

$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window



I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:

$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window


 However when I add the "-Server" parameter I get the following error:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
0
Comment
Question by:carbonbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408443
Is it a 2 way or 1 way trust? If a 1 way, which direction? Do you have a secondary zone with zone transfers enabled?

It looks like its giving an error because it cannot find mydomain.com.

can you ping mydomain.com?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40408531
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
 

Author Comment

by:carbonbase
ID: 40408729
its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query.  I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.  

I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:

Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1:56 char:35
+                 $SamAccountName = Get-ADUser -Server mydomain.com -Filter{  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408745
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
0
 

Author Comment

by:carbonbase
ID: 40408785
Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain.  Is it possible to pass the credentials in the script?
0
 

Author Comment

by:carbonbase
ID: 40408834
Ok I just need to add the -Credential parameter to Get-ADUser.  Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408854
You can use this but it is not safe to keep your password in plain text file.

[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = '' 

$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

Open in new window


then pass you credentials like

Get-ADUser -credential $objCred

Open in new window

0
 

Author Comment

by:carbonbase
ID: 40412893
I'm now getting the following error:

Cannot convert the "" value of type "System.String" to type "System.Security.SecureString".
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40413151
You are aware that your script above is a function?
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 1500 total points
ID: 40413160
Try this instead, It is not in a function anymore.

Import-Module ActiveDirectory

[object] $objCred = $null
[string] $strUser = 'YOURDOMAIN\YOURUSERNAME'
[System.Security.SecureString] $strPass = '' 


$strPass = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

#Change to your list of Users
$CsvFilePath = "C:\UserList.csv"

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} -Credential $objCred |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40425854
Hi sorry for not getting back sooner, that worked thanks very much!  Still not thrilled about putting my password in a script in clear text.  Fortunately I can use Get-Credential as I intend to run this script manually e.g.

 $MyCredentials = Get-Credential

$objCred = New-Object -TypName System.Management.Automation.PSCredential -ArgumentList ($MyCredentials)
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40426199
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.

Shift+Right Click Powershell icon > Run as different user, then put in other domain creds

OTHERDOMAIN\Username
Password
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question