Solved

Moving Objects between untrsuted Domains

Posted on 2014-12-01
3
120 Views
Last Modified: 2014-12-12
So I have 2 domains that are not trusted and at times will need to move users from Domain1 to domain2.  I have been working on a powershell script to facilitate this and allow our service desk to do this work.  The powershell is listed below.  However, I can not seem to get the proper connection to domain2 that it allows me to actually create the new user.

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email'
$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'

	Disable-adaccount -identity $ADUser.objectguid

$ADXServerName = 'domain2DC.domain2.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow

$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
Comment
Question by:Taztug
  • 2
3 Comments
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40475251
#domain2 - ssource domain
#domain1 - Destination Domain
Import-Module ActiveDirectory
Invoke-Command -ComputerName Server01.domain2.com {Get-Credential 
    Domain02\DomainAdminAccountName }
$Iemail = Read-host 'Please enter the user email'
invoke=Command -computername Server01.domain2.com {
        ($ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)
        }
# move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=domain1,DC=edu'
# won't work since we are dealing with 2 domains
Invoce=Command -computername Server01.domain2.com {
    move-adobject -identity $ADUser.objectguid -targetpath 'OU=DisabledUsers,DC=domain2,DC=edu'
    Disable-adaccount -identity $ADUser.objectguid
    }
# move it into 'OU=DisabledUsers,OU=Domain2,DC=domain2.DC=Edu' assuming DisabledUsers exists


$ADXServerName = 'domain1DC.domain1.edu'
$ADXAdmin = Read-Host 'Enter your privilege account information:'
$ADXUserName = 'domain1\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$ADXDomainEntry = New-Object -TypeName System.DirectoryServices.DirectoryEntry "LDAP://$ADXServerName" ,$($ADXCredential.UserName),$($ADXCredential.GetNetworkCredential().password,"Secure")
$ADXDomainName = $ADXDomainEntry.name
write-host $ADXDomainEntry.Name $ADXDomainEntry.path -foregroundcolor yellow
$ADXDomainEntry.Invoke 'New-ADUser' , $ADUser.sAMAccountname

Open in new window

0
 

Author Comment

by:Taztug
ID: 40496220
David,

Thanks for the ideas.   I actually found the commands and things I needed to make this work.

#Requires -RunAsAdministrator
#Requires -Modules ActiveDirectory

Import-Module ActiveDirectory

$Iemail = Read-host 'Please enter the user email '

$ADuser = (get-aduser -filter {UserPrincipalName -eq $Iemail} -properties *)

move-adobject -identity $ADUser.objectguid -targetpath 'OU=Domain1OU,OU=Domain1Users,DC=Domain1,DC=com'
Disable-adaccount -identity $ADUser.objectguid
<#
    Setup for the connection to the remote domain.   Prompt for credentials and establish the connection
#>

$ADXServerName = 'DomainController.domain2.com'
$ADXAdmin = Read-Host 'Enter your privilege account information '
$ADXUserName = 'Domain2\' + $ADXAdmin
$ADXCredential = Get-Credential -Credential $ADXUserName
$PSX = New-PSSession -ComputerName $ADXServerName -Credential $ADXCredential
invoke-command -session $PSX -scriptblock {Import-Module ActiveDirectory}

<#
 create a remote has table of the STSCI specific attributes
#>
invoke-command -session $PSX -scriptblock {$STSCIParams = @{"Schema-Ext1" = $Using:ADUser.'Schema-Ext1'} ;`
    $STSCIParams["Schema-Ext2"] = 0;`
    $STSCIParams["Schema-Ext3"] = $Using:ADUser.'Schema-ext3';`
    $STSCIParams["Schema-Ext4"] = $Using:ADUser.'Schema-Ext4';`
    $STSCIParams["Schema-Ext5"] = $Using:ADUser.'Schema-Ext5';`
    $STSCIParams["Schema-Ext6"] = $Using:ADUser.'Schema-Ext6';`
    $STSCIParams["Schema-ext7"] = $Using:ADUser.'Schema-Ext7' }

Invoke-Command -session $PSX -ScriptBlock {New-aduser -Name $Using:aduser.Name -SamAccountName $using:ADuser.sAMAccountName -path 'OU=Domain2OU,OU=Domain2Users,DC=Domain2,DC=com' `
    -GivenName $using:ADUser.GivenName -description $using:ADUser.Description -DisplayName $using:ADuser.Displayname -city $Using.ADUser.City -Country $Using:ADuser.Country `
    -EmailAddress $Using:ADuser.mail -PostalCode $Using:ADUser.PostalCode -State $Using:ADuser.St -Surname $Using:ADUser.SN `
    -title $Using:ADUser.title -StreetAddress $Using:ADuser.StreetAddress -userprincipalname $Using:ADuser.userprincipalname`
     -OtherAttributes $STSCIParams}

Exit-PSSession

Open in new window

0
 

Author Closing Comment

by:Taztug
ID: 40496225
Missed using the PSSession which made working with domains that are not trusted easier.   This solution works if the domains are trusted.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question