Solved

Moving Objects between untrsuted Domains

Posted on 2014-12-01
3
118 Views
Last Modified: 2014-12-12
So I have 2 domains that are not trusted and at times will need to move users from Domain1 to domain2.  I have been working on a powershell script to facilitate this and allow our service desk to do this work.  The powershell is listed below.  However, I can not seem to get the proper connection to domain2 that it allows me to actually create the new user.

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email'
$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'

	Disable-adaccount -identity $ADUser.objectguid

$ADXServerName = 'domain2DC.domain2.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow

$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
Comment
Question by:Taztug
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40475251
#domain2 - ssource domain
#domain1 - Destination Domain
Import-Module ActiveDirectory
Invoke-Command -ComputerName Server01.domain2.com {Get-Credential 
    Domain02\DomainAdminAccountName }
$Iemail = Read-host 'Please enter the user email'
invoke=Command -computername Server01.domain2.com {
        ($ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
        }
# move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'
# won't work since we are dealing with 2 domains
Invoce=Command -computername Server01.domain2.com {
    move-adobject -identity $ADUser.objectguid -targetpath 'OU=DisabledUsers,DC=domain2,DC=edu'
    Disable-adaccount -identity $ADUser.objectguid
    }
# move it into 'OU=DisabledUsers,OU=Domain2,DC=domain2.DC=Edu' assuming DisabledUsers exists


$ADXServerName = 'domain1DC.domain1.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain1\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow
$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
 

Author Comment

by:Taztug
ID: 40496220
David,

Thanks for the ideas.   I actually found the commands and things I needed to make this work.

#Requires -RunAsAdministrator
#Requires -Modules ActiveDirectory

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email '

$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)

move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=Domain1,DC=com'
Disable-adaccount -identity $ADUser.objectguid
<#
    Setup for the connection to the remote domain.   Prompt for credentials and establish the connection
#>

$ADXServerName = 'DomainController.domain2.com'
$ADXAdmin = Read-Host 'Enter your privilege account information '
$ADXUserName = 'Domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$PSX = New-PSSession -ComputerName $ADXServerName -Credential $ADXCredential
invoke-command -session $PSX -scriptblock {Import-Module ActiveDirectory}

<#
 create a remote has table of the STSCI specific attributes
#>
invoke-command -session $PSX -scriptblock {$STSCIParams = @{"Schema-Ext1" = $Using:ADUser.'Schema-Ext1'} ;`
    $STSCIParams["Schema-Ext2"] = 0;`
    $STSCIParams["Schema-Ext3"] = $Using:ADUser.'Schema-ext3';`
    $STSCIParams["Schema-Ext4"] = $Using:ADUser.'Schema-Ext4';`
    $STSCIParams["Schema-Ext5"] = $Using:ADUser.'Schema-Ext5';`
    $STSCIParams["Schema-Ext6"] = $Using:ADUser.'Schema-Ext6';`
    $STSCIParams["Schema-ext7"] = $Using:ADUser.'Schema-Ext7' }

Invoke-Command -session $PSX -ScriptBlock {New-aduser -Name $Using:aduser.Name -SamAccountName $using:ADuser.sAMAccountName -path 'OU=Domain2OU,OU=Domain2Users,DC=Domain2,DC=com' `
    -GivenName $using:ADUser.GivenName -description $using:ADUser.Description -DisplayName $using:ADuser.Displayname -city $Using.ADUser.City -Country $Using:ADuser.Country `
    -EmailAddress $Using:ADuser.mail -PostalCode $Using:ADUser.PostalCode -State $Using:ADuser.St -Surname $Using:ADUser.SN `
    -title $Using:ADUser.title -StreetAddress $Using:ADuser.StreetAddress -userprincipalname $Using:ADuser.userprincipalname`
     -OtherAttributes $STSCIParams}

Exit-PSSession

Open in new window

0
 

Author Closing Comment

by:Taztug
ID: 40496225
Missed using the PSSession which made working with domains that are not trusted easier.   This solution works if the domains are trusted.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief introduction to what I consider to be the best editor for PowerShell.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question