I want to export users of some large groups.
The groups are filled with other groups and the members of those groups are users from a trusted external domain.
When I run this script if gives an error:
$Users = Get-ADGroupMember -Identity 'Group' -recursive |
Where {$_.ObjectClass -eq 'User'} |
Get-ADUser -Properties SamAccountName |
Select-Object SamAccountName
Error: The operation being requested was not performed because the user has not been authenticated.
And that's the other domain that requests authentication.
How can I achieve this in the script?
Thanks
Whenever you run an AD group cmdlet, it uses your logged-in credentials to query Active Directory. This says you need to be on a domain joined computer logged in as an AD user that has permission to query.
You are on a workgroup computer or need to authenticate to AD as a different user. Then you need to provide credentials. Like other ps cmdlets, Get-ADGroupMember has a -Ceedential parameter and This parameter allows you to specify a username and password to use for the authentication.
This will show a dialog to prompt you for your credentials:
$Users = Get-ADGroupMember -Identity 'Group' -recursive -Credential (Get-Credential) | Where {$_.ObjectClass -eq 'User'} | Get-ADUser -Properties SamAccountName | Select-Object SamAccountName
Or you can specify credentials:
$cred = New-object System.Management.Automation.Pscredential User, Password
AND -Credential $cred
Related
I'm trying to add users from a csv file who are from domain1 to a security group in domain2 using the following script.
Import-Csv -Path "C:\Temp\test.csv" | ForEach-Object {Add-ADGroupMember -Server domain1.company.com -Identity "testSecurityGroup" -Members $_.'userName'}
But because the users are on a different domain than the security group, I'm getting this error message below. It cannot find the security group I want under the domain1.company.com domain that I wrote in my script.
Here's the error message:
Add-ADGroupMember : Cannot find an object with identity: 'testSecurityGroup' under: 'DC=domain1,DC=company,DC=com'.
You are trying to add the users from Domain1 to a security group in Domain2, but the below script tries to add the users to a security group in Domain1 which does not exist.
Import-Csv -Path "C:\Temp\test.csv" | ForEach-Object {Add-ADGroupMember -Server domain1.company.com -Identity "testSecurityGroup" -Members $_.'userName'}
So, you get the below error :
Add-ADGroupMember : Cannot find an object with identity: 'testSecurityGroup' under: 'DC=domain1,DC=company,DC=com'.
Instead, you can use the below command to add the users in Domain 1 to a security group in Domain2
Import-Csv -Path "C:\Temp\test.csv" | ForEach-Object {Add-ADGroupMember -Server domain2.company.com -Identity "testSecurityGroup" -Members $_.'userName'}
I have the script below to give me the distinguished name for groups in a spreadsheet I have. The issue is, the groups are located in another domain. How do I point my script to that domain? Issue is I know I have to be logged in to that domain to run it but I cant.
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group | Select-Object distinguishedName
}
The cmdlets in the Active Directory module support passing in the value of the domain controller you are wanting to query. By default when you call Get-ADGroup (or any of the other) it will validate what domain it should query by checking the domain of your current machine.
The other option is to provide the -Server (doc) with the value of the Active Directory Domain Services you want to execute your query against.
You can also provide the -Credential parameter with a PSCredential object that contains your login for that other domain. This is required if the current login of your PowerShell session is not authorized to authenticate against that other domain.
So your example script would look something like this:
$AdDomain = "whatever.company.local"
$adCred = Get-Credential
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group -Server $AdDomain -Credential $adCred | Select-Object distinguishedName
}
I have admin rights on a machine connected to AD. But I don't have rights on the Domain Controller.
With PowerShell is it possible to get all authentication delegation settings of an AD account from my admin machine? If possible how?
What I mean as delegation settings is the Delegation tab of the AD account, used for Kerberos authentication. Below is a snapshot of what I am referring about. Currently I could see few services to which the account can present delegated credentials, but not all since I cannot scroll down the list as it is greyed out.
Get-ADObject -Filter {name -eq "yoursamaccountname"} -Properties msDS-AllowedToDelegateTo
Get-ADUser -Filter {SamAccountName -eq "YourAccountSamName"} -Properties msDS-AllowedToDelegateTo | Select-Object -ExpandProperty msDS-AllowedToDelegateTo
It will list all services to which the account can present delegated credentials
The answer from Neroon did not work for me unfortunately, but I come up with a solution for AD user that works in case anyone else is looking for it:
Get-ADUser -filter { SamAccountName -eq "YouAccountSamName" } -Properties TrustedForDelegation | Select SamAccountName, TrustedForDelegation | FT -A
For multiple users:
$users = #('user1', 'user2')
$users | ForEach {Get-ADUser -filter { SamAccountName -eq $_ } -Properties TrustedForDelegation} | Select SamAccountName, TrustedForDelegation | sort -property SamAccountName | FT -A
Using the command line, how can I:
Move a user to a new Organizational Unit?
Get the current Organizational Unit of a user?
Get-ADUser UserName | Move-ADObject -TargetPath (Get-ADOrganizationalUnit -Filter "Name -eq 'Your OU Name'")
Get-ADUser UserName | Select DistinguishedName
This may help you: Move Active Directory users with PowerShell
Use the ActiveDirectory-Module of Powershell:
Import-Module activedirectory
Move-ADObject -Identity "CN=John Doe,OU=Accounting,DC=Fabrikam,DC=com" -TargetPath "OU=NewOU,DC=Fabrikam,DC=com"
See: http://go.microsoft.com/fwlink/p/?linkid=291059
And:
Import-Module activedirectory
Get-ADUser -Identity foobar|FT DistinguishedName
See: https://technet.microsoft.com/library/251aa5e1-8d5d-4eda-82b5-f0092b44ec3f%28v=wps.630%29.aspx
In the second example you need to do some string handling to get the OU
I am trying to list the membership list for each user in the Active Directory Domain. I created the following line:
foreach($_ in $(Get-ADUser -Filter *).Name){
Get-ADPrincipalGroupMembership -Identity $_ | select Name,Groupscope,Groupcategory| sort Name
}
The problem is that running this line of code causes the following error to come up when a user doesn't have any groupmembership.
Get-ADPrincipalGroupMembership : Cannot find an object with identity: 'TEST USER'
under: 'DC=contoso,DC=com'.
Adding -Erroraction Silentlycontinue behind Get-ADPrinicpalGroupMembership does not mitigate the problem. I'd rather not mess around with $ErrorAction. However, changing $ErrorAction to "silentlycontinue" and changing it back after the line completes does work. Not a pretty solution though. Is there any way to prevent the error showing otherwise?
Output for noam's solution: (Only shows a full list of groups available, not the memberships of the users)
name groupScope groupCategory
---- ---------- -------------
Administrators DomainLocal Security
Distributed COM Users DomainLocal Security
Domain Admins Global Security
Domain Users Global Security
Enterprise Admins Universal Security
Group Policy Creator Ow... Global Security
HelpLibraryUpdaters DomainLocal Security
Schema Admins Universal Security
TESTGROUP1 Global Security
Domain Guests Global Security
Guests DomainLocal Security
Denied RODC Password Re... DomainLocal Security
Domain Users Global Security
You could retrieve the MemberOf property and only run Get-ADPrincipalGroupMembership when that property is not null.
$all = Get-ADUser -filter * -property memberOf
foreach ($usr in $all) {
if ($usr.MemberOf) {
$groups = $usr | Get-ADPrincipalGroupMembership | select name, groupScope, groupCategory
$usr.name + " belongs to the following groups:`n"
$groups | sort name | ft -auto
} else {$usr.name + " does not belong to any groups.`n"}
} #close foreach
Custom objects can also be useful for this kind of reporting.
Get-Member is useful for exploring object properties.
Get-ADUser joeUser -Property * | gm | where {$_.memberType -eq "Property"}
I am not sure of the behavior of these cmdlets, but the error you are seeing may be caused by using only the Name property value to identify the object and not it's DN or other unique identifier (Get-ADPrincipalGroupMembership Documentation. Try piping the output of Get-ADUser to Get-ADPrincipalGroupMembership to see if the issue still occurs (see example below). Also, you may want to pipe the contents of Get-ADUser to the next cmdlet so you don't have to store the information returned by Get-ADUser in memory before processing.
Get-ADUser -Filter * | Get-ADPrincipalGroupMembership
If the issue still exists:
You could use a try/catch block:
Get-ADUser -Filter * | %{ `
try
{
Get-ADPrincipalGroupMembership $_
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityResolutionException]
{
#Log
Write-Host "not found"
}
}