Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:ad:using_powershell_across_domains_and_forests

Using PowerShell across Domains and Forests

PSDrives to the rescue!

Hi folks,

ever had to do administrative tasks in an environment with more than one Active Directory Domain or even more than one Forest?

If you had or have to, how did you accomplish that? Used remote desktop to connect to the server and then fired up PowerShell or Active Directory Users and Computers to finish your tasks?

Well, so this might work you need to provide your user credentials on logging into the remote system every time you connect to the remote system. Logged out already and need to do some more tasks? To bad, so log in again… typing your password again and again….. Doesn’t sound too comfortable, does it?

But how can PowerShell help in this case?

Let me show you how!

PowerShell comes with a wonderful concept of PSProviders and PSDrives. If you import the Active Directory Module for PowerShell, you automatically get a drive AD:. Have you ever tried to do a cd AD: and afterwards a dir or get-childitem? If you didn’t I encourage you to try it right away. PowerShell lets you access different resources in a uniform way. Whether it is the filesystem or the registry or the certificate store or even your Active Directory. Try the get-psdrive cmdlet to see which drives you already have:

PS C:\Users\> Get-PSDrive
 
Name           Used (GB)     Free (GB) Provider      Root                                CurrentLoc
                                                                                              ation
----           ---------     --------- --------      ----                                ----------
Alias                                  Alias
C                 126,99         96,24 FileSystem    C:\                                 ...\users
Cert                                   Certificate   \
D                 197,95         34,94 FileSystem    D:\
E                   3,14         11,48 FileSystem    E:\
Env                                    Environment
Function                               Function
G                    ,05               FileSystem    G:\
H                                      FileSystem    H:\
HKCU                                   Registry      HKEY_CURRENT_USER
HKLM                                   Registry      HKEY_LOCAL_MACHINE
Variable                               Variable
WSMan                                  WSMan

We can use these PSProviders and PSDrives to make working across multiple domains a lot easier. And best of all, this works also without having trusts in place!

So here is how you do it:

Assume we have two single domain forest ForestA and ForestB. You work as an administrator in ForestA and need to create an OU in ForestB and a user in this OU.

Import-Module activedirectory
 
New-PSDrive -Name "ForestB" -PSProvider ActiveDirectory -root ""`
     -server dc1.forestb.com -Credential (Get-Credential)
 
cd ForestB:
 
cd "dc=forestb,dc=com"
 
New-ADOrganizationalUnit "MyOU"
 
cd .\MyOU
 
New-ADUser -name MyUser
 
Get-ChildItem

How does this work? First of all we need to import the Active Directory module which brigs along the Active Directory PSProvider. Now we can set up a new PSDrive which connects to DC1 of ForestB. The PSDrive will be called ForestB: and we connect to this forest with administrator credentials of the target forest. So be sure you type the correct user and password for ForestB into the prompt you get when Get-Credential is called.

Now comes the easy part. You can cd or set-location to ForestB: and you will be in RootDSE of ForestB (try a get-childitem here to see the different partitions of the forest).

So just change to the location where you want to create the new OU, create it using New-ADOrganizationalUnit cmdlet change the location to that OU and create your user or groups or sub OUs as you need to.

Remember as long as you are in ForestB: PSDrive everything you do will be done in the remote forest.

Now isn’t that cool and easy?

But wait, there’s one more possible use to this.

Are you working with your domain admin account all day long? Well for security reasons you shouldn’t. So you need to start PowerShell with RunAs every time you do some of your administrative magic…What if we try that trick I showed you in your own forest from a non administrative PowerShell?

Right, this works as well! Try this:

Import-Module activedirectory
 
New-PSDrive -Name "AdminAD" -PSProvider ActiveDirectory -root ""`
    -Credential (Get-Credential)
 
cd AdminAD:
 
cd "dc=forestb,dc=com"
 
Get-ChildItem

On the prompt for credentials, type in your administrative user and password and now you have an administrative PSDrive for your domain called AdminAD:

I think this makes daily work a lot more comfortable!

So go ahead and try but please play around in your test environment first ;-)

powershell/ad/using_powershell_across_domains_and_forests.txt · Last modified: 2017/02/27 09:17 by marcus