Logo-PowerShell

One of the most IRRITATING and FRUSTATING things I had working in the field was dealing with multiple Domains.  

You’d have so many clients with their own Active Directory setups and each time you’d have to go directly to the Small Business Server to manage it, or try to have a machine dedicated to that purpose.   Plus you might have tools you’d want to copy to the server to help in that process.

A real pain in the you know what.

But Along came Powershell and Quest ActiveRoles Management Shell; and My life changed for the better.

You see Powershell can connect to a Domain Controller on it’s own terms, you just need to validate against it once before you do so.  Which makes things far far easier.

For example here he have a small simple script that let’s you connect to a Domain Controller called ‘dc.contoso.local’ and unlock a user account called John.Smith

——————————————————

# Note uncomment line below if you need to add in the Snapin for Quest ActiveRoles

# (Software is installed but not part of default Powershell Profile)

#

# ADD-PSSNAPIN Quest.ActiveRoles.ADManagement

#

# Popup and get Credentials for Domain

#

$CREDS=GET-CREDENTIAL

#

# Connect to Domain Controller dc.contoso.local with

# Provided Credentials

#

Connect-QADSERVICE ‘dc.contoso.local:389’ –credential $CREDS

#

# Now that you are in the domain, unlock the User

#

UNLOCK-QADUSER john.smith

————————————————————

 

In truth this is a VERY simple script but the point you need to understand that it takes nothing to edit the name of the DC to be an IP address of a different domain on different site. 

The “GET-CREDENTIAL” commandlet does not know or even CARE about the name of the other domain.  All it does it ask you to provide the credentials.  These credentials take the standard format of a UPN or the traditional DOMAINUsername. It will generate the keys. 

Once the CONNECT-QADSERVICE Commandlet talks to the other domain controller it provides those credentials through the –credential parameter.

Active Directory on THAT Domain takes that information, processes it and accepts it (because ID and password and provided Domain are valid) or not.  There is no magic to it!

Once you have done this process you (as long as that shell is open) are managing THAT domain.   Or at least you are as far as the Quest Active Roles are concerned.

Even if your computer is a member of DOMAIN “ABC.FABRIKAM.COM” and you’re trying to manage the “CONTOSO.LOCAL” domain, it doesn’t matter!  You can create, delete, unlock or Query the Active Directory for whatever information you need.  

 

Isn’t it nice when life is simpler?

 

Sean
The Energized Tech