0 votes

Hello,

I have Adaxes installed in one forest (domain.com) and we have a 1 way forest trust with another forest (ca.domain.com). I have made the Adaxes service account in domain.com a member of the BUILTIN\administrators group in ca.domain.com and have it added as a managed domain in the Adaxes Admin Console.

I'm able to view objects normally, I'm able to create the OU in the console.

However when I try to create an OU using the New-AdmOrganizationalUnit cmdlet using this command:

New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC=domain,DC=com" -Name NewTestCustomer

I get the following error:

New-AdmOrganizationalUnit : A local error has occurred.   
At line:20 char:1  
+ New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
 + CategoryInfo : NotSpecified: (:) \[New-AdmOrganizationalUnit\], DirectoryComException  
 + FullyQualifiedErrorId : Softerra:Adaxes:PowerShellModule:Commands:NewAdmOrganizationalUnitCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.NewAdmOrganizationalUnitCommand  

Any thoughts on how to run scripts in a managed domain? I also tried this command:

Get-AdmOrganizationalUnit -Filter 'Name -like "*"' -Server ca.domain.com

I get the same error. Could someone help me understand what I'm doing wrong?

by (810 points)
0

This link in the FAQ seems to indicate I don't need the trust:

Do I have to create a trust between two domains to manage them with the same Adaxes service?

Does this only apply to the administrative console? Or to the cmdlets as well?

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The thing is that when using Adaxes cmdlets, operations on AD objects can be performed either via Adaxes Service, or by directly accessing Active Directory domain controllers. When performing operations directly, the AD is accessed using the credentials of the currently logged in user. When operation are performed via Adaxes service, the AD is accessed using the account specified for the respective domain.

The reason for your issue is that you access the AD directly, and the currently logged in user account does not have sufficient permissions to access the OUs in the child domain. By 'permissions' we mean native AD permissions, not Adaxes Security Roles. To perform operations via Adaxes service, you need to specify the -AdaxesService parameter when calling Adaxes cmdlets, for example:

New-AdmOrganizationalUnit -Server ca.domain.com -Path "OU=Customers,DC=ca,DC=domain,DC=com" -Name NewTestCustomer -AdaxesService adaxesserver.domain.com

OR

Get-AdmOrganizationalUnit -Filter 'Name -like "*"' -Server ca.domain.com -AdaxesService localhost

0

Thanks for the help.

That did the trick!

Related questions

0 votes
1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)
0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
0 votes
1 answer

Hello We are using the Computer Manager security role and have given access to this group of staff to a web console, what I can't get working is getting it to display the ... else like OS, service pack, role are displaying OK. Can you help please? Thank you.

asked Feb 4, 2015 by CBurn (700 points)
0 votes
0 answers

We have a multiforest set up. One of the domains is a non hybrid. Whenever a user is created in that domain it gives an error saying- 'Property 'ms-exch-target- ... active Directory schema'. How can we write an exception while adding to that non-hybrid domain?

asked Oct 31, 2022 by Aishwarya Gavali (40 points)
0 votes
1 answer

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
3,326 questions
3,026 answers
7,727 comments
544,678 users