Adaxes

Running Powershell script against user in untrusted domain

0 votes

Adaxes is set up to manage two forests. The server that Adaxes is running on is a member of the main corporate forest and we added the other untrusted forest (single domain) as a Managed Domain.

I have added the following script to the Deprovision Custom Command and received the following error when it tried to run against the untrusted domain.

Failed to find a directory object with identity 'CN=This User,OU=Company Users,DC=company,DC=com' due to the following error: A referral was returned from the server.

It looks as if it tried to execute the Get-AdmUser against the local domain and was referred by the DNS stub that we have here locally. Is there something I can capture from the service to tell the script to run against the other domain?

import-module adaxes

$thisUser = Get-AdmUser "%distinguishedName%" -Properties MemberOf,PrimaryGroupID

if ($thisUser.MemberOf -ne $null)
{
    foreach ($groupDN in $thisUser.Memberof)
    {
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false
    }
}

if ($grouplist -ne $null)
{
set-admuser $thisUser -add @{info=$grouplist} 
}
$Context.LogMessage("Removed from all groups", "Information")
by (1.2k points)

1 Answer

0 votes
by (216k points)

Hello Robert,

You may specify the domain, in which the Get-AdmUser cmdlet will get the user, by passing the domain in the -Server parameter. You may identify a domain by specifying its Fully Qualified Domain Name (FQDN) or its NetBIOS name.

Also, you should always keep in mind that, by default, all PowerShell scripts that are used in Business Rules, Custom Commands or Scheduled Tasks are launched using the credentials of Adaxes default service administrator. Since the other domain is in an untrusted forest, the default service administrator will not have sufficient permissions to launch a search for a user in that untrusted domain. Thus, you should also specify an account with sufficient privileges in the untrusted domain using the -Credential parameter.

In the following example, the script will search for a user specified by $domain using the credentials of the user account specified by $username and $password:

Import-Module Adaxes

$username = "user@domain.com" #TODO: modify me
$password = "My Password" #TODO: modify me
$domain = "domain.com" #TODO: modify me

$passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $passwordSecure)
$thisUser = Get-AdmUser "%distinguishedName%" -Credential $credential -Properties MemberOf,PrimaryGroupID -Server $domain

if ($thisUser.MemberOf -ne $null)
{
    foreach ($groupDN in $thisUser.Memberof)
    {
        $grouplist += (get-admgroup $groupDN).Name + ", "
        Remove-AdmGroupMember $groupDN -Members $thisUser -Confirm:$false
    }
}

if ($grouplist -ne $null)
{
    Set-AdmUser $thisUser -add @{info=$grouplist} 
}
$Context.LogMessage("Removed from all groups", "Information")

Related questions

0 votes
1 answer
Schd Task running PowerShell to create a user, a rule triggered on "before creating user" cannot find the domain.

I have a scheduled task that runs the following PowerShell script. $user = New-AdmUser -Server $domain -AdaxesService localhost -Path $workdayDn -ChangePasswordAtLogon $true -PassThru - ... ) over all objects. I'm stumped! Any help would be super appreciated.

asked Sep 5 by emeisner (100 points)
0 votes
1 answer
Error running Powershell script in Adaxes

I am having an issue running a powershell script through Adaxes. I am trying to have this run as a business rule when ... $optoffice.DisabledServicePlans = "ONEDRIVESTANDARD" Set-MsolUserLicense -UserPrincipalName %userPrincipalName% -LicenseOptions $optOffice

asked Mar 2, 2015 by malsobrook (50 points)
0 votes
1 answer
Is the PowerShell Debugger safe to use against all PowerShell Runspaces in Adaxes?

I'd like to properly debug PowerShell runspaces used in Adaxes. Is the PowerShell Debugger safe to use with Adaxes? It's use would allow PowerShell developers to ... to use everywhere PowerShell is available without causing time-outs, race conditions etc.?

asked Dec 13, 2022 by Viajaz (210 points)
0 votes
1 answer
Can i pull the employeeID of new user to powershell script and use in an SQL query string

Hi All, I am currently using the 30 day free trial of Adaxes and seeing if we can use it to achieve our method of user provisioning. I am looking into server-side ... variable value within an SQL query Can this be achieved? Any help is much appreciated, Thanks

asked Feb 1 by Lewis (40 points)
0 votes
1 answer
Powershell Script only runs for a single user in a OU

I have a script that i am trying to run against all users in an OU, but the script will only run against 1 user then not run again for any other users in the OU. Any thoughts on why this would happen?

asked Mar 1, 2018 by kevball2 (100 points)
3,548 questions
3,239 answers
8,232 comments
547,814 users