Forum Discussion
mbuddd
Sep 21, 2021Copper Contributor
Creating an on premise Active Directory Security group
Hello,
This is only for on premise Active Directory.
I would like to do the following:
Get user credentials
Identify the domain where the security is to be created
Get the name of the user group
Verify if the security group already exists; If not create the group assuming the user has the correct credentials
Create the security group (in a predetermined ou)
I understand the basics of what has to be done, but I have some questions:
1. How does one connect to a different domain? Does one need to connect to a DC or is there are way to just identify a domain?
2. I use the command $creds = Get-credential
however, when I use this value in adding the group:
New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators" -Credentail $creds
I get an access denied error. If I do not enter Credential=$creds and use the same account that I am logged in to poweshell with, it works okay. If I user the same account for $Cred, it fails with access denied.
When requesting user credentials is there a way to verify that username and password are valid?
Any suggestions and comments would be greatly appreciated.?
Thanks,
Mark
- farismalaebSteel Contributor
- How are you getting the user credentials ?!
- Connecting to Domain namespace instead of the domain controller depend on DNS Name resolving. so if its working correct, you should be able to connect to the destination domain as at the end it will point to a DC, but again depend on the configuration.
- For the Error message, you might need to post the full error so we can read it, it might be a protocol authentication issues, rather than username and/or password incorrect.
- To test the username and password try the following posthttps://itpro-tips.com/2019/test-ad-authentication-via-powershell/
- mbudddCopper ContributorHow does one connect to domain with domain namespace? Could you please provide an example with powershell code?
I use the command:
$credentials = Get-Credential
PS C:\temp> $credentials
UserName Password
-------- --------
my-lab.net\mbtest System.Security.SecureString
PS C:\temp> New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup -GroupCategory Security -GroupScope Global -DisplayName $ADSecurityGroup -Path $orgUnit -Credential $Credentials
Error:
New-ADGroup : Access is denied
At line:1 char:1
+ New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (CN=etest,OU=CRA...=cldsvcs,DC=net:String) [New-ADGroup], UnauthorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADGroup- farismalaebSteel Contributor
Multiple factor can be the cause, but try this
New-ADGroup -Name "TestGroup" -SamAccountName "TestGroup" -GroupCategory Security -GroupScope Global - DisplayName "TestGroup" -Credential $cred -Server 10.6.10.10 -AuthType Negotiate