0 votes

Hello,

I have Adaxes installed in one forest (domain.com) and we have a 1 way forest trust with another forest (ca.domain.com). I have made the Adaxes service account in domain.com a member of the BUILTIN\administrators group in ca.domain.com and have it added as a managed domain in the Adaxes Admin Console.

I'm able to view objects normally, I'm able to create the OU in the console.

However when I try to create an OU using the New-AdmOrganizationalUnit cmdlet using this command:

New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC=domain,DC=com" -Name NewTestCustomer

I get the following error:

New-AdmOrganizationalUnit : A local error has occurred.   
At line:20 char:1  
+ New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
 + CategoryInfo : NotSpecified: (:) \[New-AdmOrganizationalUnit\], DirectoryComException  
 + FullyQualifiedErrorId : Softerra:Adaxes:PowerShellModule:Commands:NewAdmOrganizationalUnitCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.NewAdmOrganizationalUnitCommand  

Any thoughts on how to run scripts in a managed domain? I also tried this command:

Get-AdmOrganizationalUnit -Filter 'Name -like "*"' -Server ca.domain.com

I get the same error. Could someone help me understand what I'm doing wrong?

by (810 points)
0

This link in the FAQ seems to indicate I don't need the trust:

Do I have to create a trust between two domains to manage them with the same Adaxes service?

Does this only apply to the administrative console? Or to the cmdlets as well?

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

The thing is that when using Adaxes cmdlets, operations on AD objects can be performed either via Adaxes Service, or by directly accessing Active Directory domain controllers. When performing operations directly, the AD is accessed using the credentials of the currently logged in user. When operation are performed via Adaxes service, the AD is accessed using the account specified for the respective domain.

The reason for your issue is that you access the AD directly, and the currently logged in user account does not have sufficient permissions to access the OUs in the child domain. By 'permissions' we mean native AD permissions, not Adaxes Security Roles. To perform operations via Adaxes service, you need to specify the -AdaxesService parameter when calling Adaxes cmdlets, for example:

New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC=domain,DC=com" -Name NewTestCustomer -AdaxesService adaxesserver.domain.com

OR

Get-AdmOrganizationalUnit -Filter 'Name -like "*"' -Server ca.domain.com -AdaxesService localhost

0

Thanks for the help.

That did the trick!

Related questions

0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
0 votes
1 answer

Hello We are using the Computer Manager security role and have given access to this group of staff to a web console, what I can't get working is getting it to display the ... else like OS, service pack, role are displaying OK. Can you help please? Thank you.

asked Feb 4, 2015 by CBurn (700 points)
0 votes
1 answer

Hi support, I have created a new report with 'Existing report with specific parameters' checked under Generate report using section. I am re creating 'Password Never Expire' ... from report. Not sure what I am missing here, any help would be appreciated.

asked Jul 28 by Vish539 (100 points)
0 votes
0 answers

It would be great if we could run a report on an OU and get the following information: Computer Name Local Accounts Whether or not the account is an administrator ... this is less important. Thanks in advance. Your support team is great and appreciated.

asked Sep 8 by mikek (80 points)
0 votes
1 answer

Hello, is there a way to automatically create a user after creating a user in a different domain? Let me explain: We have a Management Domain we own and a new ... be created automatically We got a adaxes service account in both domains. Thanks in advance!

asked May 14, 2019 by Redfruit (100 points)
2,572 questions
2,315 answers
6,171 comments
742,353 users