carbonbase
asked on
query user in trusting domain
Hi I have a script to read through a CSV file and return the SamAccountName for users based on their DisplayName.
My computer is in one domain but I am trying to run the query against users in a trusting domain.
When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.
I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:
However when I add the "-Server" parameter I get the following error:
Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
My computer is in one domain but I am trying to run the query against users in a trusting domain.
Import-Module ActiveDirectory
Function Get-OSCSamAccountName
{
<#
.SYNOPSIS
Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
.DESCRIPTION
Get-OSCSamAccountName is an advanced function which can be used to get active directory user SamAccount name.
.PARAMETER CsvFilePath
Specifies the path you want to import csv files.
.EXAMPLE
C:\PS> Get-OSCSamAccountName -CsvFilePath C:\Script\Users.csv
This command will list all active directory user SamAccount Name info.
#>
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[String]$CsvFilePath
)
If($CsvFilePath)
{
If(Test-Path -Path $CsvFilePath)
{
#import the csv file and store in a variable
$Names = (Import-Csv -Path $CsvFilePath)."Full Name"
Foreach($Name in $Names)
{
# $Name = $Name.Replace(" ","") -split ","
$Name = $Name -split " "
$FirstName = $Name[0].Trim()
$LastName = $Name[1].Trim()
$UserName = $FirstName + " " + $LastName
#Retrieve the ad users based on previous two variables.
$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
Select -ExpandProperty SamAccountName
If($SamAccountName -eq $null)
{
$SamAccountName = "NotFound"
}
#Output the result
New-Object -TypeName PSObject -Property @{DisplayName = $UserName
SamAccountName = $SamAccountName
}
}
}
Else
{
Write-Warning "Cannot find path '$CsvFilePath' because it does not exist."
}
}
}
When I run the above script with without the "-Server" parameter for Get-ADUser It works fine but only searches the domain my PC is in.
$SamAccountName = Get-ADUser -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
Select -ExpandProperty SamAccountName
I read on this site that you can add the "-Server" parameter and the DNS name of the Domain you want to search:
$SamAccountName = Get-ADUser -Server mydomain.com -Filter{ Surname -eq $LastName -and GivenName -eq $FirstName} |`
Select -ExpandProperty SamAccountName
However when I add the "-Server" parameter I get the following error:
Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties
do not match any of the parameters that take pipeline input.
Although you have two way trust between domains, commands on powershell crossing domains simply not work.
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
You must to delegate on another computer to let run commands from domain a to domain b. Here you can find more detailed procedure: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
ASKER
its a one way trust with the domain my PC is in being trusted by the domain I'm trying to query. I can't ping the trusting Domain from my PC (think ICMP is being blocked by our firewall for our desktop subnet) but I can ping the Domain from a server.
I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:
Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1 :56 char:35
+ $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : SecurityError: (:) [Get-ADUser], AuthenticationException
+ FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.Activ eDirectory .Managemen t.Commands .GetADUser
I have run the script from a member server (after installing the RSAT Powershell AD module) but I now get the following error:
Get-ADUser : A call to SSPI failed, see inner exception.
At C:\temp\GetADUserInfo.psm1
+ $SamAccountName = Get-ADUser -Server mydomain.com -Filter{ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Get-ADUser], AuthenticationException
+ FullyQualifiedErrorId : A call to SSPI failed, see inner exception.,Microsoft.Activ
With your setup, you will need credentials from the other domain, can you login to a server on that domain and run the script?
ASKER
Ideally I'd like to run the script from a server in my domain so I don't have to setup the powershell bits on on a server in the other domain. Is it possible to pass the credentials in the script?
ASKER
Ok I just need to add the -Credential parameter to Get-ADUser. Unfortunately it's prompting me for my password for each line it reads from the CSV file ... :-(
You can use this but it is not safe to keep your password in plain text file.
then pass you credentials like
[object] $objCred = $null
[string] $strUser = 'domain\userID'
[System.Security.SecureString] $strPass = ''
$strPass = ConvertTo-SecureString -String "password" -AsPlainText -Force
$objCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($strUser, $strPass)
then pass you credentials like
Get-ADUser -credential $objCred
ASKER
I'm now getting the following error:
Cannot convert the "" value of type "System.String" to type "System.Security.SecureStr ing".
Cannot convert the "" value of type "System.String" to type "System.Security.SecureStr
You are aware that your script above is a function?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi sorry for not getting back sooner, that worked thanks very much! Still not thrilled about putting my password in a script in clear text. Fortunately I can use Get-Credential as I intend to run this script manually e.g.
$MyCredentials = Get-Credential
$objCred = New-Object -TypName System.Management.Automati on.PSCrede ntial -ArgumentList ($MyCredentials)
$MyCredentials = Get-Credential
$objCred = New-Object -TypName System.Management.Automati
Another thing you could do is Run powershell as the other domain user and then you will not be prompted for credentials.
Shift+Right Click Powershell icon > Run as different user, then put in other domain creds
OTHERDOMAIN\Username
Password
Shift+Right Click Powershell icon > Run as different user, then put in other domain creds
OTHERDOMAIN\Username
Password
It looks like its giving an error because it cannot find mydomain.com.
can you ping mydomain.com?