Running Powershell script against user in untrusted domain

Question

Adaxes is set up to manage two forests. The server that Adaxes is running on is a member of the main corporate forest and we added the other untrusted forest (single domain) as a Managed Domain.

I have added the following script to the Deprovision Custom Command and received the following error when it tried to run against the untrusted domain.

Failed to find a directory object with identity 'CN=This User,OU=Company Users,DC=company,DC=com' due to the following error: A referral was returned from the server.

It looks as if it tried to execute the Get-AdmUser against the local domain and was referred by the DNS stub that we have here locally. Is there something I can capture from the service to tell the script to run against the other domain?

import-module adaxes

$thisUser = Get-AdmUser "%distinguishedName%" -Properties MemberOf,PrimaryGroupID

if ($thisUser.MemberOf -ne $null)
{
    foreach ($groupDN in $thisUser.Memberof)
    {
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false
    }
}

if ($grouplist -ne $null)
{
set-admuser $thisUser -add @{info=$grouplist} 
}
$Context.LogMessage("Removed from all groups", "Information")

asked Dec 31, 2012 by jiambor (1.2k points)

1 Answer

Related questions

0 votes

1 answer

Error running Powershell script in Adaxes

I am having an issue running a powershell script through Adaxes. I am trying to have this run as a business rule when ... $optoffice.DisabledServicePlans = "ONEDRIVESTANDARD" Set-MsolUserLicense -UserPrincipalName %userPrincipalName% -LicenseOptions $optOffice

asked Mar 2, 2015 by malsobrook (50 points)

0 votes

1 answer

Is the PowerShell Debugger safe to use against all PowerShell Runspaces in Adaxes?

I'd like to properly debug PowerShell runspaces used in Adaxes. Is the PowerShell Debugger safe to use with Adaxes? It's use would allow PowerShell developers to ... to use everywhere PowerShell is available without causing time-outs, race conditions etc.?

asked Dec 13, 2022 by Viajaz (210 points)

0 votes

1 answer

Powershell script running indefinitely

Hello, I have been working on a way that will allow us to provision accounts and enable them automatically on their specified start date. I'm using an ... $DisabledUsers) { Set-ADmUser $DisabledUser -Enabled $True -Clear "extensionAttribute2" } Exit Thanks,

asked Jun 14, 2018 by JoCCCsa (100 points)

0 votes

1 answer

Struggling with running a powershell script to report users

Hi, I'm currently facing a problem where I want to set up a powershell script that should report all accounts (enabled, disabled, expired) matching a specific employeeType ... something else, just the plain Info Can you help me with this? kind regards Ingemar

asked Sep 4, 2015 by ijacob (960 points)

0 votes

1 answer

Can i pull the employeeID of new user to powershell script and use in an SQL query string

Hi All, I am currently using the 30 day free trial of Adaxes and seeing if we can use it to achieve our method of user provisioning. I am looking into server-side ... variable value within an SQL query Can this be achieved? Any help is much appreciated, Thanks

asked Feb 1 by Lewis (40 points)

Support · Answer 1 · 2013-01-02T15:23:22+0000

Hello Robert,

You may specify the domain, in which the Get-AdmUser cmdlet will get the user, by passing the domain in the -Server parameter. You may identify a domain by specifying its Fully Qualified Domain Name (FQDN) or its NetBIOS name.

Also, you should always keep in mind that, by default, all PowerShell scripts that are used in Business Rules, Custom Commands or Scheduled Tasks are launched using the credentials of Adaxes default service administrator. Since the other domain is in an untrusted forest, the default service administrator will not have sufficient permissions to launch a search for a user in that untrusted domain. Thus, you should also specify an account with sufficient privileges in the untrusted domain using the -Credential parameter.

In the following example, the script will search for a user specified by $domain using the credentials of the user account specified by $username and $password:

Import-Module Adaxes

$username = "user@domain.com" #TODO: modify me
$password = "My Password" #TODO: modify me
$domain = "domain.com" #TODO: modify me

$passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $passwordSecure)
$thisUser = Get-AdmUser "%distinguishedName%" -Credential $credential -Properties MemberOf,PrimaryGroupID -Server $domain

if ($thisUser.MemberOf -ne $null)
{
    foreach ($groupDN in $thisUser.Memberof)
    {
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false
    }
}

if ($grouplist -ne $null)
{
    Set-AdmUser $thisUser -add @{info=$grouplist} 
}
$Context.LogMessage("Removed from all groups", "Information")

Running Powershell script against user in untrusted domain

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions