Forum Discussion

mbuddd's avatar
mbuddd
Copper Contributor
Sep 21, 2021

Creating an on premise Active Directory Security group

Hello,

 

This is only for on premise Active Directory.

 

I would like to do the following:

Get user credentials

Identify the domain where the security is to be created

Get the name of the user group

Verify if the security group already exists; If not create the group assuming the user has the correct credentials

Create the security group (in a predetermined ou)

I understand the basics of what has to be done, but I have some questions:

 

1. How does one connect to a different domain?  Does one need to connect to a DC or is there are way to just identify a domain?

2. I use the command $creds = Get-credential

  however, when I use this value in adding the group:

New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators" -Credentail $creds

 

I get an access denied error. If I do not enter Credential=$creds and use the same account that I am logged in to poweshell with, it works okay. If I user the same account for $Cred, it fails with access denied.

 

When requesting user credentials is there a way to verify that username and password are valid?

 

Any suggestions and comments would be greatly appreciated.?

 

Thanks,

 

Mark

 

 

 

  • farismalaeb's avatar
    farismalaeb
    Steel Contributor

    mbuddd 

    - How are you getting the user credentials ?!

    - Connecting to Domain namespace instead of the domain controller depend on DNS Name resolving. so if its working correct, you should be able to connect to the destination domain as at the end it will point to a DC, but again depend on the configuration.

    - For the Error message, you might need to post the full error so we can read it, it might be a protocol authentication issues, rather than username and/or password incorrect.
    - To test the username and password try the following post

    https://itpro-tips.com/2019/test-ad-authentication-via-powershell/

     

    • mbuddd's avatar
      mbuddd
      Copper Contributor
      How does one connect to domain with domain namespace? Could you please provide an example with powershell code?
      I use the command:
      $credentials = Get-Credential
      PS C:\temp> $credentials


      UserName Password
      -------- --------
      my-lab.net\mbtest System.Security.SecureString

      PS C:\temp> New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup -GroupCategory Security -GroupScope Global -DisplayName $ADSecurityGroup -Path $orgUnit -Credential $Credentials

      Error:

      New-ADGroup : Access is denied
      At line:1 char:1
      + New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup - ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : PermissionDenied: (CN=etest,OU=CRA...=cldsvcs,DC=net:String) [New-ADGroup], UnauthorizedAccessException
      + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADGroup
      • farismalaeb's avatar
        farismalaeb
        Steel Contributor

        mbuddd 

        Multiple factor can be the cause, but try this

        New-ADGroup -Name "TestGroup" -SamAccountName "TestGroup" -GroupCategory Security -GroupScope Global -
        DisplayName "TestGroup" -Credential $cred -Server 10.6.10.10 -AuthType Negotiate

Resources