Grant permissions to user accounts from different domains

Running a PowerShell script from hosts in Domain_A, I need to grant rights to user objects located in Domain_B with a one way trust in place.  Going through the process manually, I will get prompted for credentials that can query Domain_B. 
How would I go about automating the authentication in PowerShell? The actual commands that run need to be executed by a privileged account in Domain_A; it's only the querying of objects in Domain_B that requires a valid Domain_B credential.

Are you doing a domain migration? 
Are you leveraging the Get-ACL / Set-ACL CMDlets?
What I would do is create a script that uses get-acl and set-acl CMDlets...
I would then launch that using:
$secpasswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("username", $secpasswd)
start-process "powershell" -ArgumentList "-file c:\path_to_Script.ps1" -Credential $mycreds
There are a ton of ways to do this, but I figure I'd give one of many ways to roll with it.
Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015!

Similar Messages

  • Mapping users coming from different domain in AD

    HI,
    We have configured vintela SSO which is working.Now we are trying  to add another domain but it has been unsuccessful.
    We have imported the users coming from other domain in CMC->AD, and UseFDQNDirectoryForServers parameter in registry.
    The issue is our complex krb5.ini errors as "cannot find kdc for realm" for the user account coming from the other domain.The existing domain kinit is successful.
    Please help in resolving this issue!!! We need to have users coming from different domain to use vintela SSO.
    Thank you.

    well you're mixing things up a bit.
    The usefqdnfordirectoryservers is used to map in groups. If the groups show up as well as the users that piece should be complete.
    the krb5.ini is for logging in users manually, it must conatin the KDC for every domain that may contain users that need to log into BO. It also must have a KDC or capath entry to define all the parent domains as well (even if they do not have members that need to login. This is how the krb5 is used to verify transitive trusts. Then all users that are not in the default domain must logon as username@ DNSDOMAIN.COM where the DNS domain is entered in all caps aqnd represents the FQDN of theidomain the users bewlong to. Now if not logging in manually this should be a big problem.
    So for SSO (vintela anyway) this process is automatic, although you may want to configure vintela with site information so it doesn't randomly use all your DC's Site can be set following the steps at the end of business objects note 1261835 (complete and vintela only editions).
    In order for vintela to work properly the value entered in CMC > Authentication > Windows AD > service principal name must = an SPN thet was created on the account that is running the SIA/CMS
    Regards,
    Tim

  • How to grant access to sharepoint for the user from different Domain

    Hi All
        I need to grant access to user from different domain. 
        Where I can able to view the users in people picker (different domain).
    Thanks in Advance.
    Raj

     Hi
    Trevor Seward
    Sorry to disturb
    you again.
      I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
    of them works. Below are the commands I have tried
    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
    stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
    we have two way trust.
    Can you suggest any solution.
    Thanks 
    Raj

  • Forms Authentication Error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed

    I created a custom security extension following the steps listed in the Readme_Security Extension Sample. It works fine if I login as the user that is specified AdminConfiguration section of the rsreportserver.config file but if I
    log in as another user, I get this error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.  I've added the user to both System Administrator
    and System User roles to try to get it to work but still no luck.
    Does anyone know how to fix this?
    Thanks.

    Hi MetronM,
    The issue is due to that user have no permission to access the report server. In report manager, Reporting Services includes predefined roles that we can assign to users and groups to provide immediate access to a report server. Each role defines a collection
    of related tasks.
    You can refer to the following steps to assign corresponding role to the user.
    Open report manager.
    Click “Folder Setting” button. 
    Click “New Role Assignment” icon.
    Type the user name and select the corresponding role.
    There is an article about Granting Permissions on a Native Mode Report Server, you can refer to it.
    http://technet.microsoft.com/en-us/library/ms156014.aspx
    Regards,
    Alisa Tang
    Alisa Tang
    TechNet Community Support

  • Ssrs security access for users on a different domain

    Hi
    We are using ssrs 2008 r2 and have added a new domain to our network as we are working with another company.
    Our original domain was say "DomainA" which can access all our reports, how do we give access to the new domain "DomainB" access to our reports?
    We are unable to add DomainB users to our AD security groups so I have created a windows groups called SSRS_DomainB_Users and given them access to our parent folder and also added them into site settings as a system user.
    What is the best way to deal with this?
    Users in DomainB will eventually be added to DomainA and DomainB will then be deleted.
    One of the users I am testing with gets an error message :
    User 'Domain name/user' does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
    Thanks

    Hi Nasa1999,
    According to your description, you want your reports can be accessed by user from different domain. Right?
    In this scenario, we should do Internet Deployment for your reports so that users from different domain can access the reports. Please the articles below:
    Planning for Extranet or Internet Deployment
    Using Reporting Services in an Internet/Extranet Environment
    SQL Server 2008 Reporting Services
    for Internet deployment
    Reference:
    SSRS reports
    global access
    If you have any question, please feel free to ask.
    Best Regards,
    Simon Hou

  • Restore Filevault enabled user account from Timecapsule?

    My imac running Snow Leopard crashed but was backed up to my Time Capsule.
    The guy at the Apple store just erased & re-loaded the OS and said my timecapsule was still in tact after the crash.
    I tried using migration assistant at home to re-load my mac as it was before the crash from Timecapsule but it says I cannot transfer my user account because it was encrypted with filevault???
    PLEASE HELP! My entire life is on this computer and the ONLY reason i got a timecapsule with the new imac was so I could restore everything with one click after a crash!
    (as a side note my 5 1/2 year old macbook running OS X Lion crashed with the latest update and subsequently it's hard drive died at the same time! so I'm completely screwed if I can't restore my user account from time capsule.
    HELP!!!

    KingaMLK wrote:
    I tried repairing disk permissions, repairing disk
    But did you repair your backups?
    That's a different thing.  If they're corrupted, it could explain the problem you're having; if we can repair them, the full system restore may work.
    The difficulty here is, you can repair an internal or external HD by starting from your Snow Leopard Install disc and using Disk Utility.  But to repair the sparse bundle on a Time Capsule, you must be able to log on to your Mac with a (any) user account, and locate the sparse bundle via the Finder to mount it first.
    Since you apparently have a restore attempt running now, don't interrupt it.
    But if it doesn't work, or you can't find all your data, and if you can log on to your Mac with any account, try repairing the backups per #A5 in Time Machine - Troubleshooting.

  • How to copy a user account from one Mac to another

    If I have a main user (admin) account on one Mac, and want to copy its Home Folder over to another Mac that already has user accounts on it, what is the best way to do it?
    For example, if I boot the source Mac in Target Disk Mode then connect it to the other Mac, can I just drag and drop from its Users folder into the Users folder on the other Mac? And would that then appear in SysPref/Accounts, complete with names and passwords etc, or is it not that simple?
    (Actually, I just checked by launching Migration Assistant, and it seems to indicate I can use it to copy User Accounts from a different Mac - is this all I need? How would I connect the two Macs for this to work?)

    Slightly confusing, that article - it talks about using Migration Assistant in Lion or Mountain Lion, but in my case both computers have used Snow Leopard. Does it still apply?
    (One other observation - don't you find it confusing the way Apple defines "Target Disk Mode"? It's pretty much always the case that a computer booted in this way becomes the Source computer, while the Target computer is the one it's connected to!!)

  • Restoring user accounts from system install backup directory

    Hi,
    I had some kind of disk problem that forced me to reload tiger. When tiger intalled it backed up all of the user directries. After the new install booted up I can not figure out how to restore all of my user accounts from this backup directory. Maybe I am making it too hard (ex PC user). The migtration utility only wants to restore off a Mac or different volume. Any suggestions?
    Thanks
    imac g4 800   Mac OS X (10.4.6)  

    If you did an Archive & Install, then you should have selected the saving user and network settings. Otherwise, everything was put into the Previous System folder. IIRC, you need to recreate the users, using the exact same username and password combinations. Then, log into each account, open the corresponding folder within the Previous System/Users/ directory and transfer everything from the old account to current account.

  • How to migrate AD users with two different Domain.

    Hi 
    I want to test in LAB.I have installed win 2008 server on Comp1 and domain name xyz.com & IP 192.168.1.1.and i have installed win 2008 on comp2 and domain name abc.com.ip is 192.168.1.100,and i have created trust relationship between.
    Now i want to migrate Ad uesr Account from xyz.com to abc.ocm.
    How will we do???
    Pls help...
    Thanks
    Anil

    Hi Anil,
    After configuring trust, you can use ADMT to migrate users, computers etc between domains.
    To export the password of AD User Accounts from xyz.com to abc.ocm, you need to install Password Export Server(PES) on the source domain (xyz.com).
    Checkou the below link on ADMT and PES installation,
    http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
    Checkou the below link on AD user account migration,
    http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx
    Regards,
    Gopi
    www.jijitechnologies.com

  • Create user account in Child Domain

    Dear all.
    Kindly, i have Forest contain two domain Root domain, child domain.
    in the child domain i can create a user account using the root domain.
    i want to stop this. i want the IT Department there create users for there domain only?
    thanks
    Ashraf Hilal

    Hi Ashraf,
    Your query is not clear. Do you want to restrict enterprise administrators from creating user accounts in child domain?
    By default, Enterprise Admins group is part of Builtin Administrators group in the child domain.
    When child domain is introduced, by default Enterprise Admins group is added to Child Domain\Administrators group (Builtin local Security group).
    How to Restrict Enterprise Admins From Child Domain
    http://social.technet.microsoft.com/wiki/contents/articles/16919.how-to-restrict-enterprise-admins-from-child-domain.aspx
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/a72dc036-3375-4124-9ef7-d30af104451a/enterprise-administrator-and-child-domain?forum=winserverDS
    Regards,
    Rafic
    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

  • Hi can someone tell me if it is possible to have two accounts (from different countries) in the same laptop?

    Hi can someone tell me if it is possible to have two accounts (from different countries) in the same laptop?

    Hi...
    The issue is that your credit or debit card credentials must be associated with the same country where you reside to make purchases.
    "Although you can browse the iTunes Store in any country without being signed in, you can only purchase content from the iTunes Store for your own country. This is enforced via the billing address associated with your credit card or other payment method that you use with the iTunes Store, rather than your actual geographic location."
    From here >  The Complete Guide to Using the iTunes Store | iLounge Article
    Billing policy is the same for both the iTunes as well as Mac App Stores.

  • A virtual machine can't authenticate accounts from a domain

    Hello,
    I have a Windows Server 2012 R2 Standard server with Hyper-V, where there is a VM.  Hyper-V Manager is 6.3.9600.16384 is used.
    The VM was created and at that time it was able to authenticate accounts from anther domain.  The VM is in one domain, say Domain A, and the VM and applications on the VM was able to use accounts in another domain, say Domain B.  Doman
    A and Domain B had a trusted relationship and all was working great on the VM and other servers in Domain A.
    Then, the trusted relationship was broken.  The applications and the VM still worked, but you could not add and use accounts in Domain B.  Applications using accounts in Domain B could be not be authenticated either.
    Then, recently we fixed the broken relationship between the two domains.  However, on the VM, accounts from Domain B could not be added to applications and could not be authenticated nor used, even though other servers in Domain A had accounts
    from Domain B working again.
    What can be done to get the VM to recognized accounts in Domain B, now that the trusted relationship is working again between to two domains?
    Paul

    Hi Paul,
    Please try to re-join the VM to domain A then test again .
    Also you can use these methods mentioned in the following article to re-build the secure channel :
    http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/02/use-powershell-to-reset-the-secure-channel-on-a-desktop.aspx
    Best Regards,
    Elton Ji
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

  • Copy a user account from one disk to another

    I replaced the hard drive in my G5 imac, and for one reason or another, using restore failed to create a bootable disk. Instead, I reinstalled Leopard. I would like to copy the old user account from the old hard drive so I can seamlessly continue using my computer. I created a secondary account on the new drive with the same name as the old one, and then copied the contents, but that didn't work very well.
    Can you advise how to restore the account from an old disk for use on a new one?

    Well, the desktop picture was generic, opening firefox gave me the error along the lines of "cannot open firefox, firefox is already open." Trying to download a new firefox tells me that there's no room on the disk. That's about where I stopped. Pretty much everything isn't working right.

  • Displaying image from different domain in an applet

    can anybody tell how to load & display an image from a different domain. the image is being generated dynamically on that server so that i cannot save it.

    You should sign your applet to be able to do it.Isn't that normally only necessary for Security
    relevant procedures, like locally reading and writing
    (saving) files? ( -> So, is that also true (sec.
    rel.) for "donwloading" from "different domain"
    (URL)? )Yes, it is a security violation. Maybe arguably not as bad as local file system access, but it could still be a problem. The main problem would be turning an unsigned applet (therefore from an unknown source) into a DOS application which starts pounding on all sorts of other servers, including the local host.
    As to the problem, you could have a servlet on your host which gets the image from the other host for you. The servlet could be very generic with the applet passing all the info needed to get the file for it.

  • Create Oracle USER Account from Third Party System

    Hi there
    We have requirment to create Oracle USER Account through third party system.
    How can we achive this?
    I know ORacle Provide FND_USER_PKG.CREATEUSER API to create user
    Is there any special thing we have to do to create Oracle USER from another system?
    Thanks
    ASIM

    Hi,
    Is there any special thing we have to do to create Oracle USER from another system?I believe you need to check the third party manual or contact the vendor for other considerations when creating user accounts from this system.
    For FND_USER_PKG, please see the links referenced in this thread.
    change password of EBS user
    Re: change password of EBS user
    Regards,
    Hussein

Maybe you are looking for

  • Where do I put the "autoplay" code in my photo gallery?

    I have a photo gallery on http://victorylcms.org/photos.html. I'm trying to add "autoplay" to it. I got the gallery from http://galleria.aino.se/ and here is what it says to add http://galleria.aino.se/docs/1.2/options/autoplay/, but I can't seem to

  • My Macbook 2.1 does not seem to "see" my external seagate HDD.

    I ahve connected the power to the HDD, and pulgged the HDD to the Macbook via the usb port.  The light is on the HDD, but Macbook is not seeing teh HDD.  Any tips?

  • PO data will automatically update the required data in sevice entry sheet

    Dear gurus How and explain the PO for sevice entry sheet data automatically getting updated in service entry sheet.. pls expalin how it happens Thanks & regards bhanu

  • .mac trash in mail

    When I trash an email in goes into my .mac trash box, in the Mail program. Now I also show a trash bin called "on my mac" but trashed email never goes into it. I want to be able to keep deleted emails on my .mac account but erased from my Mail progra

  • Unable to demote a domain controller

    Hi Everone, My primary DC is windows Server 2012 R2 and ADC is windows Server 2008 x64 I am trying to demote  Windows Server 2008 x64 and i am facing issues. when i demote2008 I am getting Error : A Domain Controller could not be contacted for the do