Solved

Moving Objects between untrsuted Domains

Posted on 2014-12-01
3
115 Views
Last Modified: 2014-12-12
So I have 2 domains that are not trusted and at times will need to move users from Domain1 to domain2.  I have been working on a powershell script to facilitate this and allow our service desk to do this work.  The powershell is listed below.  However, I can not seem to get the proper connection to domain2 that it allows me to actually create the new user.

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email'
$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'

	Disable-adaccount -identity $ADUser.objectguid

$ADXServerName = 'domain2DC.domain2.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow

$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
Comment
Question by:Taztug
  • 2
3 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40475251
#domain2 - ssource domain
#domain1 - Destination Domain
Import-Module ActiveDirectory
Invoke-Command -ComputerName Server01.domain2.com {Get-Credential 
    Domain02\DomainAdminAccountName }
$Iemail = Read-host 'Please enter the user email'
invoke=Command -computername Server01.domain2.com {
        ($ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
        }
# move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'
# won't work since we are dealing with 2 domains
Invoce=Command -computername Server01.domain2.com {
    move-adobject -identity $ADUser.objectguid -targetpath 'OU=DisabledUsers,DC=domain2,DC=edu'
    Disable-adaccount -identity $ADUser.objectguid
    }
# move it into 'OU=DisabledUsers,OU=Domain2,DC=domain2.DC=Edu' assuming DisabledUsers exists


$ADXServerName = 'domain1DC.domain1.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain1\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow
$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
 

Author Comment

by:Taztug
ID: 40496220
David,

Thanks for the ideas.   I actually found the commands and things I needed to make this work.

#Requires -RunAsAdministrator
#Requires -Modules ActiveDirectory

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email '

$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)

move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=Domain1,DC=com'
Disable-adaccount -identity $ADUser.objectguid
<#
    Setup for the connection to the remote domain.   Prompt for credentials and establish the connection
#>

$ADXServerName = 'DomainController.domain2.com'
$ADXAdmin = Read-Host 'Enter your privilege account information '
$ADXUserName = 'Domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$PSX = New-PSSession -ComputerName $ADXServerName -Credential $ADXCredential
invoke-command -session $PSX -scriptblock {Import-Module ActiveDirectory}

<#
 create a remote has table of the STSCI specific attributes
#>
invoke-command -session $PSX -scriptblock {$STSCIParams = @{"Schema-Ext1" = $Using:ADUser.'Schema-Ext1'} ;`
    $STSCIParams["Schema-Ext2"] = 0;`
    $STSCIParams["Schema-Ext3"] = $Using:ADUser.'Schema-ext3';`
    $STSCIParams["Schema-Ext4"] = $Using:ADUser.'Schema-Ext4';`
    $STSCIParams["Schema-Ext5"] = $Using:ADUser.'Schema-Ext5';`
    $STSCIParams["Schema-Ext6"] = $Using:ADUser.'Schema-Ext6';`
    $STSCIParams["Schema-ext7"] = $Using:ADUser.'Schema-Ext7' }

Invoke-Command -session $PSX -ScriptBlock {New-aduser -Name $Using:aduser.Name -SamAccountName $using:ADuser.sAMAccountName -path 'OU=Domain2OU,OU=Domain2Users,DC=Domain2,DC=com' `
    -GivenName $using:ADUser.GivenName -description $using:ADUser.Description -DisplayName $using:ADuser.Displayname -city $Using.ADUser.City -Country $Using:ADuser.Country `
    -EmailAddress $Using:ADuser.mail -PostalCode $Using:ADUser.PostalCode -State $Using:ADuser.St -Surname $Using:ADUser.SN `
    -title $Using:ADUser.title -StreetAddress $Using:ADuser.StreetAddress -userprincipalname $Using:ADuser.userprincipalname`
     -OtherAttributes $STSCIParams}

Exit-PSSession

Open in new window

0
 

Author Closing Comment

by:Taztug
ID: 40496225
Missed using the PSSession which made working with domains that are not trusted easier.   This solution works if the domains are trusted.
0

Join & Write a Comment

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now