Adaxes is set up to manage two forests. The server that Adaxes is running on is a member of the main corporate forest and we added the other untrusted forest (single domain) as a Managed Domain.

I have added the following script to the Deprovision Custom Command and received the following error when it tried to run against the untrusted domain.

Failed to find a directory object with identity 'CN=This User,OU=Company Users,DC=company,DC=com' due to the following error: A referral was returned from the server.

It looks as if it tried to execute the Get-AdmUser against the local domain and was referred by the DNS stub that we have here locally. Is there something I can capture from the service to tell the script to run against the other domain?

import-module adaxes

$thisUser = Get-AdmUser "%distinguishedName%" -Properties MemberOf,PrimaryGroupID

if ($thisUser.MemberOf -ne $null)
    foreach ($groupDN in $thisUser.Memberof)
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false

if ($grouplist -ne $null)
set-admuser $thisUser -add @{info=$grouplist} 
$Context.LogMessage("Removed from all groups", "Information")
Hello Robert,

You may specify the domain, in which the Get-AdmUser cmdlet will get the user, by passing the domain in the -Server parameter. You may identify a domain by specifying its Fully Qualified Domain Name (FQDN) or its NetBIOS name.

Also, you should always keep in mind that, by default, all PowerShell scripts that are used in Business Rules, Custom Commands or Scheduled Tasks are launched using the credentials of Adaxes default service administrator. Since the other domain is in an untrusted forest, the default service administrator will not have sufficient permissions to launch a search for a user in that untrusted domain. Thus, you should also specify an account with sufficient privileges in the untrusted domain using the -Credential parameter.

In the following example, the script will search for a user specified by $domain using the credentials of the user account specified by $username and $password:

Import-Module Adaxes

$username = "user@domain.com" #TODO: modify me
$password = "My Password" #TODO: modify me
$domain = "domain.com" #TODO: modify me

$passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $passwordSecure)
$thisUser = Get-AdmUser "%distinguishedName%" -Credential $credential -Properties MemberOf,PrimaryGroupID -Server $domain

if ($thisUser.MemberOf -ne $null)
    foreach ($groupDN in $thisUser.Memberof)
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false

if ($grouplist -ne $null)
    Set-AdmUser $thisUser -add @{info=$grouplist} 
$Context.LogMessage("Removed from all groups", "Information")

