Here's the command I run:
$Credentials = Get-Credential # Feed in credentials for some.domain.com
Get-ADForest -Server some.domain.com -Credential $Credentials
And it reports:
Get-ADForest : Could not find a forest identified by: 'some.domain.com'
I've tried all kinds of different things for the -Server parameter, including using the hostname.domain.name.com and nothing works. Is it possible it is being blocked?
However, if I run a:
Get-ADUser username -Server 'some.domain.com' -Credential $Credentials
It returns the value...
First of all, you need to go through the documentation for Get-ADForest to understand what might be happening in your case:
The Get-ADForest cmdlet gets the Active Directory forest specified by
the parameters. You can specify the forest by setting the Identity or
Current parameters..........
To retrieve the forest of the local computer or current logged on user
(CLU), set the Current parameter to LocalComputer or LoggedOnUser. When
you set the Current parameter, you do not need to set the Identity
parameter.......
When the Current parameter is set to LocalComputer or LoggedOnUser,
the cmdlet uses the Server and Credential parameter values to
determine the domain and the credentials to use to identify the domain
of the forest according to the following rules......
-- If the Server and Credential parameters are specified:
The domain is set to the domain of the specified server and the cmdlet
checks to make sure that the server is in the domain of the
LocalComputer or LoggedOnUser. Then the credentials specified by the
Credential parameter are used to get the domain. An error is
returned when the server is not in the domain of the LocalComputer or
LoggedOnUser.
I believe the error which you're receiving is because the last line is not being satisfied. Please verify the same in your case because it seems the server which you're specifying is either not in the domain of the LocalComputer or the LoggedOnUser.
First of all, the two examples you mention, are two different CMDlets. Let's not confuse the two of them.
About Get-ADForest:
Judging upon the information from this fact sheet about Get-ADForest
Would it help you to use -Identity "some.domain.com" instead? From what i can gather, either you use the -Identity switch(which is mandatory), or you pipe an object to the CMDlet.
The Identity switch takes these values:
A fully qualified domain
A GUID (objectGUID)
A DNS host name
A NetBIOS name
Test:
Get-ADForest -Identity 'some.domain.com' -Credential $Credentials
Related
I am trying to write a PowerShell script to link my GPOs to several OUs on multiple domains. The issue I am having is with the New-GPLink cmdlet. When I run the command I get different errors. I can create and link GPOs in all domains in GPMC.
My domain is setup as a Forest with two domains under it (lets call them DomA and DomB). Then I have a third domain not under that forest (lets call it DomC).
My computer is in DomA and my account is in DomC.
The GPO is created in DomA and well call it GPO_Test_1.
The OU I want to link is at ou=Test,ou=GPO Testing,dc=DomA
If I run:
New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testing,dc=DomA" -LinkEnabled Yes
I get this error:
New-GPLink : The "GPO_Test_1" GPO was not found in the DomC domain.
Parameter name: gpoDisplayName
At line:1 char:1
+ New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.GroupPolicy.GPDomain:GPDomain) [New-GPLink], ArgumentExceptio
n
+ FullyQualifiedErrorId : GpoWithNameNotFound,Microsoft.GroupPolicy.Commands.NewGPLinkCommand
So I can see its looking at the domain that my account is on. Not the one that my computer is on.
I tried different parameters resulting in different errors.
-Domain DomA
New-GPLink : A referral was returned from the server. (Exception from HRESULT: 0x8007202B)
-Server DConDomA
New-GPLink : Value does not fall within the expected range.
-Domain DomA -Server DConDomA
New-GPLink : Value does not fall within the expected range.
I read that this may be because my credentials are not passing correctly to the other domain. So I tried the below:
Invoke-Command -ComputerName DConDomA -scriptblock {New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testing,dc=DomA" -LinkEnabled Yes} -credential $c
The "GPO_Test_1" GPO was not found in the DomC domain.
Again the error referencing domain my account is on ...
Adding the -Server DConDomA inside the script block still gives this error.
New-GPLink : Value does not fall within the expected range.
Tried a few different DCs (including RIDMatser on DomA and DomC) but those results in the same type of errors.
I am not sure what I am missing or doing wrong here.
I found my own answer in is Microsoft documentation. Seems I just missed it. My Domain parameter has to be the FQDN where as I using the short name.
https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink?view=windowsserver2022-ps
-Domain
Specifies the domain for this cmdlet. You must specify the fully qualified domain name (FQDN) of the domain.
This note explained why it was checking the domain where my account was as well.
"If you do not specify the Domain parameter, the domain of the user that is running the current session is used. If the cmdlet is being run from a computer startup or shutdown script, the domain of the computer is used. For more information, see the Notes section in the full Help."
I have (what I think is) an odd problem.
I have two domain admin accounts and one domain controller (for the purpose of this question). Here is the scenario:
Admin1 RDPs to dc01 and runs the Powershell command (see command below), and it succeeds
Admin2 RDPs to dc01 and runs the Powershell command (see command below), and it fails (see error below).
In both cases, we are entering the credentials of admin1 when prompted by Get-Credential
Command:
Get-ADGroupMember administrators -Credential (Get-Credential) -Server dc01 -Recursive
Error:
Get-ADGroupMember : There is no such object on the server
If I remove the -Recursive parameter, then the command works for both admins (again, using the credentials of admin1). If I open ADUC as admin1, then look at the members of Administrators, I can see all members, opening sub-groups without issue.
What in the world is going on? Thanks.
Well, looks like it was a permissions issue. I added the service account to Enterprise Admins and the failure stopped. I have no idea which object is causing the failure.
I am trying to run the following powershell command through my application using C#
Get-ADUserResultantPasswordPolicy user1
It returns the values for user1 on domain1 which is my current domain.
when I try to read the values for a user2 on domain2:
Get-ADUserResultantPasswordPolicy domain2\user2
its throwing exception
"Cannot find an object with identity:'user2' under:'DC=domain2,DC=com'.
Is there away to point powershell to the other domains and read the data on that domain?
Use the -partition parameter:
Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.
The following two examples show how to specify a value for this parameter.
-Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"
-Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"
Read more here: https://technet.microsoft.com/en-us/library/ee617255.aspx?f=255&MSPPError=-2147217396
You can use the -Server parameter with the fully qualified domain name of the domain controller on domain you want to access.
Get-ADUserResultantPasswordPolicy -Identity "USER1" -Server "DC1.YourDomain.com"
Get-ADUser -identity $ntaccount1 -properties name, samaccountname, mail, enabled, passwordlastset
Is it possible, when looking up the user account information in powershell, to specify a domain controller to use? We have some DC's that get the data faster than others.
From Get-Help Get-ADUser -Parameter *
-Server <string>
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a
corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain
Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
Fully qualified domain name
Examples: corp.contoso.com
NetBIOS name
Example: CORP
Directory server values:
Fully qualified directory server name
Example: corp-DC12.corp.contoso.com
NetBIOS name
Example: corp-DC12
Fully qualified directory server name and port
Example: corp-DC12.corp.contoso.com:3268
The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
-By using Server value from objects passed through the pipeline.
-By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
-By using the domain of the computer running Powershell.
The following example shows how to specify a full qualified domain name as the parameter value.
-Server "corp.contoso.com"
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
I know that this is a bit of an old question, but I would like to expand on the answer given, to aid anyone else who had a similar query.
The following allows you to define a specific Domain Controller, which the entire of a script would be able to use... Why might you want to do this when the -server parameter is available to Get-ADUser, New-ADUser, Set-ADObject, etc?
Well I put together a script that creates an AD user, sets multiple properties and creates an exchange mailbox - However, one set of properties revolves around the RDS properties on a 2008 R2 user account, which cannot be set from within New-ADUser. I had to create a function that calls ADSI and uses psbase.invokeSet to update the settings. There is no parameter setting for -server that I'm aware of.
This in itself wouldn't be a big deal, but the script also creates an Exchange mailbox for the user. As my Exchange server is in different AD Site from my workstation, the user account gets created on my local DC, but the mailbox isn't set, because the DC in the same site as the Exchange server hasn't yet received a replicated copy of the new user account.
The solution I found is as follows and is courtesy of http://www.joseph-streeter.com/?p=799
Having loaded import-module activedirectory, you'll have access to AD options in the New-PSDrive commandlet which among everything else allows you to define a new Active Directory Provider to work with.
New-PSDrive -Name <<NameofYourChoice>> -PSProvider ActiveDirectory -Server <<DC Server>> -Root "//RootDSE/" -Scope Global
Once created, you can then change the working Provider with the following command.
CD <<NameofYourChoice>>:
To view the existing list of Providers, type Get-PSDrive. AD is the default Active Directory Provider created when using the ActiveDirectory commandlet. You should also see your newly created Provider.
So for instance if my remote DC is called RemoteDC I would run:
New-PSDrive -Name RemoteAD -PSProvider ActiveDirectory -Server RemoteDC -Root "//RootDSE/" -Scope Global
to create a new Provider called RemoteAD. If I then run:
CD RemoteAD:
All further active directory related commands in the script or the active shell will work with the new Provider RemoteAD. If I would need to change back to my original Provider, I'd simply type
CD AD:
Hope someone finds this useful...
This is what i use:
Get-ADUser -server dcservername.domain.local -identity username
I am having trouble accessing a shared network location while within a PowerShell remote session.
From the PowerShell prompt, I enter a new session:
Enter-PSSession server1
The session is properly created and entered. I then attempt to list the contents of the share:
dir \\server2\share1
The response is this error:
Get-ChildItem : Cannot find path '\\server2\share1' because it does not exist.
However, if I remote desktop into server1, bring up PowerShell, and execute the very same dir command, the contents are correctly listed.
I've tried various things using credentials, but that doesn't seem to fix it. I've also confirmed via the "whoami" command that I have the same identity in both examples.
What would cause this?
If you can't use credential delegation as mentioned above, you can mount (or just authenticate as below) the remote share in the remote session using explicit credentials, e.g.
[server1] ps> net use \\server2\share * /user:username
(prompts for password)
[server1] ps> dir \\server2\share
(listing)
This problem has nothing to do with powershell per-se; you are trying to replay your local credentials in a remote session to a third location and falling foul of the NTLM "double hop" limitation.
Read the section "Credential Delegation"
Here - Credit to Keith Hill
and perform the steps if you have not already done so.
Another option is kerberos resource delegation
eg:
$server_name = "my-server" $servers = #(get-adcomputer -identity $server_name)
$target = "target-server" $tgt_srv = get-adcomputer -identity $target
Set-ADComputer -Identity $to_delegate -PrincipalsAllowedToDelegateToAccount $servers