Solved

Moving Objects between untrsuted Domains

Posted on 2014-12-01
3
121 Views
Last Modified: 2014-12-12
So I have 2 domains that are not trusted and at times will need to move users from Domain1 to domain2.  I have been working on a powershell script to facilitate this and allow our service desk to do this work.  The powershell is listed below.  However, I can not seem to get the proper connection to domain2 that it allows me to actually create the new user.

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email'
$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'

	Disable-adaccount -identity $ADUser.objectguid

$ADXServerName = 'domain2DC.domain2.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow

$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
Comment
Question by:Taztug
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40475251
#domain2 - ssource domain
#domain1 - Destination Domain
Import-Module ActiveDirectory
Invoke-Command -ComputerName Server01.domain2.com {Get-Credential 
    Domain02\DomainAdminAccountName }
$Iemail = Read-host 'Please enter the user email'
invoke=Command -computername Server01.domain2.com {
        ($ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
        }
# move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'
# won't work since we are dealing with 2 domains
Invoce=Command -computername Server01.domain2.com {
    move-adobject -identity $ADUser.objectguid -targetpath 'OU=DisabledUsers,DC=domain2,DC=edu'
    Disable-adaccount -identity $ADUser.objectguid
    }
# move it into 'OU=DisabledUsers,OU=Domain2,DC=domain2.DC=Edu' assuming DisabledUsers exists


$ADXServerName = 'domain1DC.domain1.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain1\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow
$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
 

Author Comment

by:Taztug
ID: 40496220
David,

Thanks for the ideas.   I actually found the commands and things I needed to make this work.

#Requires -RunAsAdministrator
#Requires -Modules ActiveDirectory

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email '

$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)

move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=Domain1,DC=com'
Disable-adaccount -identity $ADUser.objectguid
<#
    Setup for the connection to the remote domain.   Prompt for credentials and establish the connection
#>

$ADXServerName = 'DomainController.domain2.com'
$ADXAdmin = Read-Host 'Enter your privilege account information '
$ADXUserName = 'Domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$PSX = New-PSSession -ComputerName $ADXServerName -Credential $ADXCredential
invoke-command -session $PSX -scriptblock {Import-Module ActiveDirectory}

<#
 create a remote has table of the STSCI specific attributes
#>
invoke-command -session $PSX -scriptblock {$STSCIParams = @{"Schema-Ext1" = $Using:ADUser.'Schema-Ext1'} ;`
    $STSCIParams["Schema-Ext2"] = 0;`
    $STSCIParams["Schema-Ext3"] = $Using:ADUser.'Schema-ext3';`
    $STSCIParams["Schema-Ext4"] = $Using:ADUser.'Schema-Ext4';`
    $STSCIParams["Schema-Ext5"] = $Using:ADUser.'Schema-Ext5';`
    $STSCIParams["Schema-Ext6"] = $Using:ADUser.'Schema-Ext6';`
    $STSCIParams["Schema-ext7"] = $Using:ADUser.'Schema-Ext7' }

Invoke-Command -session $PSX -ScriptBlock {New-aduser -Name $Using:aduser.Name -SamAccountName $using:ADuser.sAMAccountName -path 'OU=Domain2OU,OU=Domain2Users,DC=Domain2,DC=com' `
    -GivenName $using:ADUser.GivenName -description $using:ADUser.Description -DisplayName $using:ADuser.Displayname -city $Using.ADUser.City -Country $Using:ADuser.Country `
    -EmailAddress $Using:ADuser.mail -PostalCode $Using:ADUser.PostalCode -State $Using:ADuser.St -Surname $Using:ADUser.SN `
    -title $Using:ADUser.title -StreetAddress $Using:ADuser.StreetAddress -userprincipalname $Using:ADuser.userprincipalname`
     -OtherAttributes $STSCIParams}

Exit-PSSession

Open in new window

0
 

Author Closing Comment

by:Taztug
ID: 40496225
Missed using the PSSession which made working with domains that are not trusted easier.   This solution works if the domains are trusted.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question