none
How to query user across multiple forest with AD powershell RRS feed

  • Question

  • Hi Guys

      Our situation like this , we have two forest ,let say forestA.com and forestB.com, and they are many subdomian in forest A.

      I'd like to write a script to the AD object information via get-adobject -identify xxxx

      My accont belongs to forestA.com , and the computer i logged on belongs to forestB.com ,A & B have forest trust.

      Now the problem is if the object i quried belngs to forestB.com ,the Get-ADObject works fine ,however if the object belongs to forestA.com ,i got the error "Get-ADObject: Cannot find a object with identify: 'xxxx' under: 'DC=forestB,DC=com'.

      So how can i have a script than can query user in both forest

     

      

    Thursday, October 23, 2014 3:10 AM

Answers

  • Prepared this some time ago for a PowerShell Chalk & Talk. Just change the forest names and credentials. Each Active Directory cmdlet you are calling works on the current drive. So to switch between the forests you need just change the drive / location.

    This is also quite nice for migration scenarios.

    $forests = @{
        'forest1.net' = (New-Object pscredential('forest1\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
        'forest2.net' = (New-Object pscredential('forest2\Administrator', ('Password2' | ConvertTo-SecureString -AsPlainText -Force)))
        'forest3.net' = (New-Object pscredential('forest3\Administrator', ('Password3' | ConvertTo-SecureString -AsPlainText -Force)))
    
        'a.forest1.net' = (New-Object pscredential('a\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
        'b.forest1.net' = (New-Object pscredential('b\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
    }
    
    Import-Module -Name ActiveDirectory
    
    $drives = $forests.Keys | ForEach-Object {
    
        $forestShortName = ($_ -split '\.')[0]
        $forestDN = (Get-ADRootDSE -Server $forestShortName).defaultNamingContext
    
        New-PSDrive -Name $forestShortName -Root $forestDN -PSProvider ActiveDirectory -Credential $forests.$_ -Server $forestShortName
    }
    
    $result = $drives | ForEach-Object {
        Set-Location -Path "$($_):"
    
        Get-ADUser -Identity administrator
    }
    
    $drives | Remove-PSDrive -Force
    
    $result


    -Raimund

    Thursday, October 23, 2014 10:54 AM

All replies

  • Get-AdUser userid  -Server dpmainA

    ¯\_(ツ)_/¯

    Thursday, October 23, 2014 6:09 AM
  • Prepared this some time ago for a PowerShell Chalk & Talk. Just change the forest names and credentials. Each Active Directory cmdlet you are calling works on the current drive. So to switch between the forests you need just change the drive / location.

    This is also quite nice for migration scenarios.

    $forests = @{
        'forest1.net' = (New-Object pscredential('forest1\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
        'forest2.net' = (New-Object pscredential('forest2\Administrator', ('Password2' | ConvertTo-SecureString -AsPlainText -Force)))
        'forest3.net' = (New-Object pscredential('forest3\Administrator', ('Password3' | ConvertTo-SecureString -AsPlainText -Force)))
    
        'a.forest1.net' = (New-Object pscredential('a\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
        'b.forest1.net' = (New-Object pscredential('b\Administrator', ('Password1' | ConvertTo-SecureString -AsPlainText -Force)))
    }
    
    Import-Module -Name ActiveDirectory
    
    $drives = $forests.Keys | ForEach-Object {
    
        $forestShortName = ($_ -split '\.')[0]
        $forestDN = (Get-ADRootDSE -Server $forestShortName).defaultNamingContext
    
        New-PSDrive -Name $forestShortName -Root $forestDN -PSProvider ActiveDirectory -Credential $forests.$_ -Server $forestShortName
    }
    
    $result = $drives | ForEach-Object {
        Set-Location -Path "$($_):"
    
        Get-ADUser -Identity administrator
    }
    
    $drives | Remove-PSDrive -Force
    
    $result


    -Raimund

    Thursday, October 23, 2014 10:54 AM
  • This was really helpful for me.

    I ended up using this instead:

    Import-Module ActiveDirectory
    
    $result = (Get-ADTrust -Filter *).target + (Get-ADForest).domains | %{
        Get-ADUser -Identity administrator -Server $_ 
     }
    
    $result
    I appended the local domains as well, because otherwise this script would have only pulled up the hits from the forest trusts.


    Wednesday, May 6, 2020 9:53 PM