I'm trying to add an AD group to another AD group but in a different forest.
There's a trust between these 2 domains.
$DomainA = "<domain>"
$DomainB = "<different domain>"
Add-ADGroupMember -Identity "<ad group name>" -Server $DomainA -Members "<ad group name>" -Server $DomainB
What is the best way to cross add the groups?
Error I receive:
Add-ADGroupMember : Cannot bind parameter because parameter 'Server' is specified more than once. To provide multiple values to parameters that can accept multi
ple values, use the array syntax.
Use the param server only once, either DomainA or DomainB.
Make sure the group names have their respective domains prefixed i.e. DomainA\GroupName.
As an example, GroupB in DomainB would become a member of GroupA in DomainA :
Add-ADGroupMember -Identity "DomainA\GroupA" -Members "DomainB\GroupB" -Server "DomainA"
Related
I have username, and email address.
Couldn’t find a simple command to add sip address in AD attributes.
SIP:emiladdress
Please help
Thanks
You need to get the AD user you want to update then append the ProxyAddresses property (attribute) then set the AD user. I neat and easy way to do this is to use the Active Directory cmdlets instancing feature.
$ADUser = Get-ADUser <UserName> -Properties ProxyAddresses
$ADUser.ProxyAddresses = $ADUser.ProxyAddresses += "sip:user#domain.com"
Set-ADUser -Instance $ADUser
I'm looking to list the authorized senders of a distribution group
here's my code:
(Get-DistributionGroup -Identity "mydistributiongroup").AcceptMessagesOnlyFrom|get-mailcontact|Select-Object -Property DisplayName,Name,PrimarySmtpAddress
problem :
there are exchange mailboxes in my list in addition to external mail
how to modify my code to take into account the mail exchange (get-mailbox instead of get-mail contact) in a smart way and fast
thank you
(Get-DistributionGroup -Identity "mydistributiongroup").AcceptMessagesOnlyFrom |
Get-Recipient |
Select-Object -Property DisplayName,Name,PrimarySmtpAddress
I believe this will do what you want.
I am looking for a clean and simple solution (One-Liner?) to add the well-known domain-group Domain Users to a local group like "Direct Access Users".
The command/script will be executed on a Win10-client.
No additional module like "RSAT-AD-PowerShell" should be used for that.
The code should work regardless of OS-language.
I used the following code to add the "Authenticated Users" (= Well-known-SID S-1-5-11) to the local group:
Add-LocalGroupMember -Group "Direct Access Users" -Member S-1-5-11 -Verbose
This works fine, because the SID is static, but the SID for "Domain Users" looks like this S-1-5-21Domain-513 and I want to get the domain-SID dynamic too.
Thank you
I don't see any short way of doing this -- as in, something that will fit in one line "naturally" (you can always just smoosh it together if you really want to, of course). The difficult part seems to be getting the domain SID; once you have that, constructing the well-known SID of the Domain Users group is simple enough. The below uses the computer account to do that; the code could be abbreviated if you were allowed to assume a domain user is running this.
$qualifiedComputerName = [DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name + "\" + [Environment]::MachineName + "$"
$computerAccount = [Security.Principal.NTAccount]::new($qualifiedComputerName)
$domainSid = $computerAccount.Translate([Security.Principal.SecurityIdentifier]).AccountDomainSid
$domainUsersSid = [Security.Principal.SecurityIdentifier]::new("AccountDomainUsersSid", $domainSid).Value
Add-LocalGroupMember -Group "Direct Access Users" -Member $domainUsersSid -Verbose
Grab the domain SID from the dNC root:
$RootDSE = [adsi]"LDAP://RootDSE"
$dNC = [adsi]"LDAP://$($RootDSE.defaultNamingContext)"
$domainSID = [System.Security.Principal.SecurityIdentifier]::new($dNC.Properties['objectSID'].Value, 0)
$domainUsers = [System.Security.Principal.SecurityIdentifier]::new('AccountDomainUsersSid', $domainSID)
Add-LocalGroupMember -Group "Direct Access Users" -Member $domainUsers.Value
I have a script, which essentially does the following:
$user = Get-ADUser $someUserName -Server $someCertServer -Properties *
$user.userCertificate |% { Set-ADUser $someUserName -Certificates #{Add=$_} }
It copies the cert data from a cert-server to the default server. $user.userCertificate is of type Microsoft.ActiveDirectory.Management.ADPropertyValueCollection and $user.userCertificate[0] is of type System.Byte[]. According to the docs, I can pass a Byte[] and be good to go. By using the foreach operator in the above script, I get the Byte[].
However, Powershell fails with the error message
the parameter certificates requires all values in the collection to be of the same type
(and underlines the #{Add=$_}; the message might not be 100% accurate, since I had to translate it to English). Because of the foreach operator, there is only one type: a Byte[]. What does that error message mean and how can I shove the certificate into the ADUser object?
I also tried to convert the Byte[] to a certificate object, however it ended up with the same error message:
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($user.userCertificate[0])
Set-ADUser $someUserName -Certificates #{Add=$cert}
The very first issue I see is that you are calling on the wrong property for your example to work.
$user.userCertificate | ForEach-Object { Set-ADUser $someUserName -Certificates #{Add=$_}}
While there is a property called userCertificate on that object that contains an collection of [byte[]]. For that code to work the way you want it to you should be using Certificates. Certificates is an collection of Security.Cryptography.X509Certificates.X509Certificate
So making that change I was able to add another users certificate to my own account.
$certUser = Get-Aduser "someGuy" -Properties certificates
$certUser.Certificates | %{ Set-ADUser "ME" -Certificates #{Add=$_}}
Note: It is a better practice to only request the properties you need from AD. Using -properties * is a waste of effort and needless resources
While this exact scenario is not covered there is a nice write-up on the MSDN Blogs about dealing with certs.
Cert as a byte array
Now that we know userCertificate is a collection of byte arrays maybe we can look into how to use that.
I was having issues using the byte array with the certificate parameter for Set-Aduser even though it is supposed to support it. I got the error
Set-ADUser : Cannot validate argument on parameter 'Certificates'. Values in the argument collection should be of Type: 'System.Security.Cryptography.X509Certificates.X509Certificate'
I did get this to work but I had to cast the byte array as a cert object first which was redundant considering this appear to be what the Certificates property already is.
$certUser.Usercertificate | ForEach-Object{
Set-ADUser "ME" -certificate #{Add=[System.Security.Cryptography.X509Certificates.X509Certificate]$_}
}
What I would like to do is get a list of all users in exchange and loop through them giving each user full access ("owner") right to every other calendar. So basically I want everyone at the company to have "owner" permission to everyone else.
Here is what I have to far it works fine but I would like this to be automated meaning the "username1" and "username2" to be replaced with active users from my exchange server.
Add-MailboxFolderPermission -Identity "username1":\calendar -user "username2" -AccessRights owner
From my comment on the question.
You have lots of options but you can use
Get-Mailbox | ForEach-Object{Add-MailboxFolderPermission -Identity "username1":\calendar -user $_.SamAccountName -AccessRights owner}
This will grab every mailbox, since no filter is applied, and add the MailboxFolderPermission to those mailboxes.
That should work. Be careful as you are making irreversable changes to everyone.