I'm stuck in a stupid problem that I can't figure out how to solve.
I need to get all domain controllers of a trusted domain.
With this piece of code I get all DC in the current domain Get-ADDomainController -Filter *
With this I get one DC from target domain Get-ADDomainController -domain MyTrustedDomain -Discover
But how can I get all DC in target domain?
Can't test this due to lack of AD, but you could try the -Server option with the FQDN of the trusted domain:
Get-ADDomainController -Filter * -Server trusted.example.com
One way without using AD module:
$a = new-object 'System.DirectoryServices.ActiveDirectory.DirectoryContext'("domain", "other.domain.local" )
[System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($a)
You need to be an 'authenticated user' in the remote domain or add username and password parameter to the DirectoryContext object
This command will list all domain controllers in the forest for each domain
(get-adforest).domains |%{get-addomaincontrollers -filter * -server $_}
I've come across the same problem as I work regularly with multiple domains. I was hoping for a more elegant solution, but so far the best I've come up with is to take your work one step further.
if Get-ADDomainController -domain MyTrustedDomain -Discover gives you one server in the target domain, you can feed that to the -server parameter to query that one DC. You do need to provide credentials to query a DC from a different domain than your login session if a trust DOES NOT exist (in a trust, the trusting domain considers you to be 'authenticated').
$targetdcname = (Get-ADDomainController -DomainName <MyTrustedDomain> -Discover).hostname
Get-ADDomainController -Filter * `
-Server $targetdcname `
-Credential (Get-Credential MyTrustedDomain\username) | ft HostName
or
Get-ADDomainController -Filter * `
-Server $((Get-ADDomainController -DomainName <MyTrustedDomain> -Discover).hostname) `
-Credential (Get-Credential MyTrustedDomain\username) | ft HostName
If you do this sort of thing alot, you can always store your credentials in a variable for reuse, $cred = Get-Credential MyTrustedDomain\username) and save the repeated prompts. The password is stored as a System.Security.SecureString and will be secure as long as you keep it within your session.
Until the Get-ADDomainController cmdlet is updated to allow both the -filter parameter AND the Domainname parameter, we're stuck with a workaround.
from: help get-addomaincontroller -examples
This should list all DCs in your domain
-------------------------- EXAMPLE 12 --------------------------
C:\PS>Get-ADDomainController -Filter { isGlobalCatalog -eq $true -and Site -eq "Default-First-Site-Name" }
Get all global catalogs in a given site.
Get-ADDomain -Identity <DOMAIN NAME> | select -ExpandProperty ReplicaDirectoryServers
Here is what I used
cls
$domains = (Get-ADForest).Domains;
foreach ($domain in $domains)
{
Write-Host $domain
(Get-ADDomain -Identity $domain | select -ExpandProperty ReplicaDirectoryServers).Count;
Write-Host "";
$totalCount = $totalCount + (Get-ADDomain -Identity $domain | select -ExpandProperty ReplicaDirectoryServers).Count;
}
Write-Host "Total domain controller count is: "$totalCount
Thanks for the start, here's what I came up with. Then I feed it to a SharePoint list.
get-adtrust -Filter * | Select-object Name, Domain,ipv4Address, OperatingSystem, Site, HostName, OperatingSystemVersion | ForEach-Object{Get-ADDomainController -Filter * -Server $_.Name}
Sometimes Powershell adds complexity, just open a cmd prompt and enter
C:\Windows\System32\nltest.exe /dclist:[trusted domain]
Of course, replace [trusted domain] with the name of the domain whose DC's you want.
Related
I want prevent accidental deletion for my dns zones on my domain. I have try to perform this action via powershell but i have some doubts.
I have used the following command, i found this on Microsoft:
Get-ADobject -Server "<DomainController_fqdn>" -Filter {objectclass -eq "DNSZone"} -SearchBase "DC=DomainDNSZones,<DomainDN>" | Set-ADObject -ProtectedFromAccidentalDeletion $true
Bellow is this command adapted to my domain:
Get-ADobject -Server "myservername+fqdn" -Filter {objectclass -eq "mydominzone"} -SearchBase "DC=DomainDNSZones,DC=aa,DC=bb,DC=cc" | Set-ADObject -ProtectedFromAccidentalDeletion $true
The script seems to run ok , but I don't receive any message that that fag was changed on "true".
How can i check if this setting was applied or not?
You just have to tell Get-ADObject to show that property with the -Properties parameter:
Get-ADobject -Server "myservername+fqdn" `
-Filter {objectclass -eq "mydominzone"} `
-SearchBase "DC=DomainDNSZones,DC=aa,DC=bb,DC=cc" `
-Properties ProtectedFromAccidentalDeletion
Interestingly, there isn't actually any flag in Active Directory for that. All it does is add a "deny delete" permission for "Everyone" to the account. But both Set-ADObject and Get-ADObject translate that into a property that you can set and read. And even AD Users and Computers shows it as a checkbox.
I have the script below to give me the distinguished name for groups in a spreadsheet I have. The issue is, the groups are located in another domain. How do I point my script to that domain? Issue is I know I have to be logged in to that domain to run it but I cant.
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group | Select-Object distinguishedName
}
The cmdlets in the Active Directory module support passing in the value of the domain controller you are wanting to query. By default when you call Get-ADGroup (or any of the other) it will validate what domain it should query by checking the domain of your current machine.
The other option is to provide the -Server (doc) with the value of the Active Directory Domain Services you want to execute your query against.
You can also provide the -Credential parameter with a PSCredential object that contains your login for that other domain. This is required if the current login of your PowerShell session is not authorized to authenticate against that other domain.
So your example script would look something like this:
$AdDomain = "whatever.company.local"
$adCred = Get-Credential
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group -Server $AdDomain -Credential $adCred | Select-Object distinguishedName
}
I have multiple domains in my forest, and I'm trying to write a script that will work with any user in the forest, so I'm using a global catalog in my script.
This works to retrieve the data, but when I try and modify the data I'm getting
Set-ADUser : The server is unwilling to process the request
If I use the domain controller (DC) as the server name, the modification completes as it should. I'd like to avoid writing a switch to set the server name. Is there anything else I can do here?
Get-ADUser $user -Server "contoso.local:3268" | %{Set-ADUser -Identity $_.distinguishedname -SamAccountName $_.SamAccountName -Server "contoso.local:3268"}
I'm not really clear on what you're trying to do here. Global catalog ports are read only (for LDAP).
If you want to make sure you find a domain controller that is a global catalog, you can use the following:
Get-ADDomainController -Discover -Service GlobalCatalog
Based on your comment, maybe what you need is $PSDefaultParameterValues:
$PSDefaultParameterValues = #{
"*-AD*:Server" = "contoso.local:3268"
}
Get-ADUser $user |
%{Set-ADUser -Identity $_.distinguishedname -SamAccountName $_.SamAccountName }
So I have a script with the purpose of scanning devices that start with a certain name, then return results of computers missing a group. My problem is, the device I need it to run from turns out not to be in the same tree. I have seen some commands, but I wanted to be sure I had the syntax right. I will include part of the script for context:
Import-Module ActiveDirectory
$Group = "A-Certain-Group"
$Groupname = (Get-ADGroup $Group).distinguishedName
$Computers = Get-ADComputer -filter "name -like 'Big*'" -Prop MemberOf | Where{$_.MemberOf -notcontains $Groupname}
So let's say I am running it from "company.net", and it needs to perform the above script on "companynet.net" instead. What is the proper method?
The AD cmdlets all have a -server parameter which lets you specify other domains. Just use it to specify the other domain assuming there is a trust.
$Groupname = (Get-ADGroup $Group -Server companynet.net).distinguishedName
$Computers = Get-ADComputer -Server companynet.net -filter "name -like 'Big*'" -Prop MemberOf | Where{$_.MemberOf -notcontains $Groupname}
Note that if you don't have permission to perform actions in the domain you will also need to use the -credential parameter.
I have what should be a simple script that will connect to all the servers in a domain and build a table of all the services running on each server. However, when I try to automate the script to grab all the servers in a foreach loop I get an RPC error. If the $name variable is replaced with the server DNS name everything works as expected. I've checked the firewall and DCOM services on my system (win7) and the servers (2000 - 2008R2) and these are all enabled or disabled appropriately. So, I'm thinking something in the script is broke. I'm still learning powershell, so any tips are appreciated.
Here is the script so far.
$servernames = get-adobject -Filter 'ObjectClass -eq "Computer" ' -Searchbase "OU=Servers,DC=E,DC=BENEFIS,DC=ORG"
foreach ($name in $servernames) {
Get-WMIObject win32_service -computername $name -Property SystemName,Name,StartName,StartMode |
Format-table SystemName, Name, Startname >c:\serverservices.txt }
Each object you get back have a name property so you need to pass its value to the ComputerName parameter. In addition, to get computer object use the Get-ADComputer cmdlet, you also need to specify the Append switch when you export to the file otherwise content will be overwritten and what you'll see finally is the output of the last computer only.
$servernames = Get-ADComputer -SearchBase "OU=Servers,DC=E,DC=BENEFIS,DC=ORG" -Filter *
foreach ($name in $servernames)
{
Get-WMIObject win32_service -computername $name.Name -Property SystemName,Name,StartName,StartMode |
Format-table SystemName, Name, Startname | Out-File c:\serverservices.txt -Append
}