Solved

query user in trusting domain

Posted on 2014-10-28
12
684 Views
Last Modified: 2014-11-06
Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.

My computer is in one domain but I am trying to run the query against users in a trusting domain.  

Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
 	.SYNOPSIS
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .DESCRIPTION
        Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
    .PARAMETER  CsvFilePath
		Specifies the path you want to import csv files.
    .EXAMPLE
        C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv

		This command will list all active directory user SamAccount Name info.
#>
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true)]
        [String]$CsvFilePath
    )

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }
}

Open in new window



When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.

$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window



I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:

$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
                Select -ExpandProperty SamAccountName 

Open in new window


 However when I add the "-Server" parameter I get the following error:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
0
Comment
Question by:carbonbase
  • 6
  • 5
12 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408443
Is it a 2 way or 1 way trust? If a 1 way, which direction? Do you have a secondary zone with zone transfers enabled?

It looks like its giving an error because it cannot find mydomain.com.

can you ping mydomain.com?
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40408531
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
 

Author Comment

by:carbonbase
ID: 40408729
its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query.  I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.  

I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:

Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1:56 char:35
+                 $SamAccountName = Get-ADUser -Server mydomain.com -Filter{  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408745
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
0
 

Author Comment

by:carbonbase
ID: 40408785
Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain.  Is it possible to pass the credentials in the script?
0
 

Author Comment

by:carbonbase
ID: 40408834
Ok I just need to add the -Credential parameter to Get-ADUser.  Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40408854
You can use this but it is not safe to keep your password in plain text file.

[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = '' 

$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

Open in new window


then pass you credentials like

Get-ADUser -credential $objCred

Open in new window

0
 

Author Comment

by:carbonbase
ID: 40412893
I'm now getting the following error:

Cannot convert the "" value of type "System.String" to type "System.Security.SecureString".
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40413151
You are aware that your script above is a function?
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40413160
Try this instead, It is not in a function anymore.

Import-Module ActiveDirectory

[object] $objCred = $null
[string] $strUser = 'YOURDOMAIN\YOURUSERNAME'
[System.Security.SecureString] $strPass = '' 


$strPass = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)

#Change to your list of Users
$CsvFilePath = "C:\UserList.csv"

    If($CsvFilePath)
    {
        If(Test-Path -Path $CsvFilePath)
        {
            #import the csv file and store in a variable
            $Names = (Import-Csv -Path $CsvFilePath)."Full Name"
            
            Foreach($Name in $Names)
            {
                # $Name = $Name.Replace(" ","") -split ","
                $Name = $Name -split " "
                $FirstName = $Name[0].Trim()
                $LastName = $Name[1].Trim()
                $UserName = $FirstName + " " + $LastName
                #Retrieve the ad users based on previous two variables.
                $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} -Credential $objCred |`
                Select -ExpandProperty SamAccountName 
                                
                If($SamAccountName -eq $null)
                {
                    $SamAccountName = "NotFound"
                }

                #Output the result
                New-Object -TypeName PSObject -Property @{DisplayName = $UserName
                                                          SamAccountName = $SamAccountName
                                                         }
                    
            }
        }
        Else
        {
            Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
        }
    }

Open in new window

0
 

Author Closing Comment

by:carbonbase
ID: 40425854
Hi sorry for not getting back sooner, that worked thanks very much!  Still not thrilled about putting my password in a script in clear text.  Fortunately I can use Get-Credential as I intend to run this script manually e.g.

 $MyCredentials = Get-Credential

$objCred = New-Object -TypName System.Management.Automation.PSCredential -ArgumentList ($MyCredentials)
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40426199
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.

Shift+Right Click Powershell icon > Run as different user, then put in other domain creds

OTHERDOMAIN\Username
Password
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Why would I want to create a function for tracking messages? I am glad you asked. As with most monotonous/routine tasks, human error tends to creep in after doing the same task over and over again. By creating a function, you load the function once…
This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now