none
Script does not work across domain RRS feed

  • General discussion

  • Hi,,

    I have  a script to check the list of account status in AD( whether it is exist or not ).The script works well in current domain from where I am executing the script. But the script does not search account across the domain!

    Can anyone help me to correct this, so that it runs across the domain  to see whether the account exist or not ?

    Import-Module ActiveDirectory
    $UserList = get-content C:\temp\Accounts.txt
    Foreach ($Item in $UserList) {
    $user = $null
    $user =  Get-aduser -filter {samAccountName -eq $Item}
    if ($user)
        {
        $user | Out-File C:\temp\existingAccounts.txt -encoding default -append
        }
        else
        {
        "$item does not exist" | Out-File C:\temp\NotExistingAccounts.txt -encoding default -append
        }
    }
    • Edited by Shimith Tuesday, December 18, 2018 5:44 PM
    • Changed type Bill_Stewart Friday, March 15, 2019 3:37 PM
    • Moved by Bill_Stewart Friday, March 15, 2019 3:37 PM Abandoned
    Tuesday, December 18, 2018 4:55 PM

All replies

  • Here's an easier way to check if a sAMAccount exists in the current domain:


    function Test-SamAccountName {
      param(
        [String] $sAMAccountName
      )
      $searcher = [ADSISearcher] "(sAMAccountName=$sAMAccountName)"
      $searcher.FindOne() -ne $null
    }
    

    Example use of this function in a script:


    function Test-SamAccountName {
      param(
        [String] $sAMAccountName
      )
      $searcher = [ADSISearcher] "(sAMAccountName=$sAMAccountName)"
      $searcher.FindOne() -ne $null
    }
    
    if ( Test-SamAccountName "foo" ) {
      "account exists"
    }
    else {
      "account does not exist"
    }
    


    -- Bill Stewart [Bill_Stewart]

    Tuesday, December 18, 2018 5:39 PM
  • Unless you have more that one domain, or the value of sAMAccountName in the txt file is wrong, the Get-ADUser statement should retrieve the object no matter where it resides in the domain. Unless somehow some users have been protected so you cannot view them.

    Edit: It just occurred to me that one way to "hide" users (maybe not intentionally) is to have a leading space in the sAMAccountName. Could this be the case for your problem users?


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, December 18, 2018 5:42 PM
  • The script which I pasted above checks in current domain. But I want the script to check the account in entire directory/Across domains . I have given an existing account and the script says account doesn't exist.

    Is there a condition which can help me with that ?


    • Edited by Shimith Tuesday, December 18, 2018 5:46 PM
    Tuesday, December 18, 2018 5:43 PM
  • Use the -Server parameter of Get-ADUser to target the GC port of a DC that is a Global Catalog.

    -Server MyDC.MyDomain.com:3268


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, December 18, 2018 5:49 PM
  • So that means, Do I need to give the GC name like below ?

    $UserList = get-content C:\temp\Accounts.txt

    $dc= get-content C:\temp\GC.txt

    $user = Get-ADUser $UserList  -Server $dc -filter {samAccountName -eq $Item}

    Tuesday, December 18, 2018 5:54 PM
  • I updated my reply to show how. The GC can be in your current domain. It has a partial replica of all objects in all partitions in the forest. The sAMAccountName is included in the partial attribute set.

    Edit: One hardcoded GC should work for all


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, December 18, 2018 5:57 PM
  • I ran like below, but still the existing account shows as does not exist. Is this something wrong ?

    Import-Module ActiveDirectory
    $UserList = get-content C:\temp\Accounts.txt
    Foreach ($Item in $UserList) {
    $user = $null
    $user =  Get-aduser -filter {samAccountName -eq $Item} -Server "servername.domain.net:3268"

    if ($user)
        {
        "$item does exist" | Out-File C:\temp\existingAccounts.txt -encoding default -append
        }
        else
        {
        "$item does not exist" | Out-File C:\temp\NotExistingAccounts.txt -encoding default -append
        }
    }

    Note : Here I am not getting value for $user.
    • Edited by Shimith Tuesday, December 18, 2018 6:23 PM
    Tuesday, December 18, 2018 6:04 PM
  • I believe that you have to chase referrals. The code that I used at my prior employer was VB script and referenced ADS_CHASE_REFERRALS_ALWAYS.

    See https://www.remkoweijnen.nl/blog/2007/10/19/a-referral-was-returned-from-the-server/

    For the Powershell cmdlets, this site might help you. I no longer have a way to test AD calls. 

    https://stackoverflow.com/questions/38064884/get-adgroupmember-get-aduser-fails-for-users-in-different-domain

    Tuesday, December 18, 2018 6:11 PM
  • But if the GC is in the current domain, no chase referrals should be necessary. All attributes in the Partial Attribute Set are replicated to all GCs in all domains in the forest. The GC is read only, and only includes some attributes.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, December 18, 2018 6:36 PM