cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating an on premise Active Directory Security group

mbuddd
Copper Contributor

‎Sep 21 2021 06:05 AM

‎Sep 21 2021 06:05 AM

Creating an on premise Active Directory Security group

Hello,

 

This is only for on premise Active Directory.

 

I would like to do the following:

Get user credentials

Identify the domain where the security is to be created

Get the name of the user group

Verify if the security group already exists; If not create the group assuming the user has the correct credentials

Create the security group (in a predetermined ou)

I understand the basics of what has to be done, but I have some questions:

 

1. How does one connect to a different domain?  Does one need to connect to a DC or is there are way to just identify a domain?

2. I use the command $creds = Get-credential

  however, when I use this value in adding the group:

New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators" -Credentail $creds

 

I get an access denied error. If I do not enter Credential=$creds and use the same account that I am logged in to poweshell with, it works okay. If I user the same account for $Cred, it fails with access denied.

 

When requesting user credentials is there a way to verify that username and password are valid?

 

Any suggestions and comments would be greatly appreciated.?

 

Thanks,

 

Mark

 

 

 

Labels:
1,820 Views
0 Likes
3 Replies
Reply
3 Replies
farismalaeb

‎Sep 21 2021 07:40 AM

‎Sep 21 2021 07:40 AM

Re: Creating an on premise Active Directory Security group

@mbuddd 

- How are you getting the user credentials ?!

- Connecting to Domain namespace instead of the domain controller depend on DNS Name resolving. so if its working correct, you should be able to connect to the destination domain as at the end it will point to a DC, but again depend on the configuration.

- For the Error message, you might need to post the full error so we can read it, it might be a protocol authentication issues, rather than username and/or password incorrect.
- To test the username and password try the following post

https://itpro-tips.com/2019/test-ad-authentication-via-powershell/

 

0 Likes
Reply
mbuddd

‎Sep 21 2021 08:09 AM

‎Sep 21 2021 08:09 AM

Re: Creating an on premise Active Directory Security group

How does one connect to domain with domain namespace? Could you please provide an example with powershell code?
I use the command:
$credentials = Get-Credential
PS C:\temp> $credentials


UserName Password
-------- --------
my-lab.net\mbtest System.Security.SecureString

PS C:\temp> New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup -GroupCategory Security -GroupScope Global -DisplayName $ADSecurityGroup -Path $orgUnit -Credential $Credentials

Error:

New-ADGroup : Access is denied
At line:1 char:1
+ New-ADGroup -Name $ADSecurityGroup -SamAccountName $ADSecurityGroup - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (CN=etest,OU=CRA...=cldsvcs,DC=net:String) [New-ADGroup], UnauthorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.NewADGroup
0 Likes
Reply
farismalaeb

‎Sep 22 2021 12:31 AM

‎Sep 22 2021 12:31 AM

Re: Creating an on premise Active Directory Security group

@mbuddd 

Multiple factor can be the cause, but try this

New-ADGroup -Name "TestGroup" -SamAccountName "TestGroup" -GroupCategory Security -GroupScope Global -
DisplayName "TestGroup" -Credential $cred -Server 10.6.10.10 -AuthType Negotiate
0 Likes
Reply