Hi Chad,

Yes we have three different Active Directory Domains as mentioned.

Now i understand that i need to have a mid-server installed in each domain so that mid-server can communicate with the AD Server for that domain (I just learnt from my AD guy that we can also communicate from one domain to others if the security team will be ready to open firewall ports for us).

I just ran a simple Powershell code:

Import-Module ActiveDirectory

Get-AdGroup -identity "test135" | Add-ADGroupMember -Members "XYZ123" —Server "abc.defq.pqert.net"   -Confirm:$false

it gives me the following error

Cannot find an object with identity: 'test135' under: 'DC=abcnet,DC=pqert,DC=net'.Stack Trace:       at Microsoft.ActiveDirectory.Management.Commands.ADFactoryUtil.GetObjectFromIdentitySearcher(ADObjectSearcher searcher, ADEntity identityObj, String searchRoot, AttributeSetRequest attrs, CmdletSessionInfo cmdletSessionInfo, String[]& warningMessages)at Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection`1 propertiesToFetch, Boolean showDeleted)at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ProcessRecordOverride()at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase.ProcessRecord()

But if i run the same command from the command prompt from the server as below it gives the desired result in command prompt

Get-ADGroup -identity test135 -Properties * -Server abc.defq.pqert.net -Credential $User

I think that i need to pass credential(like in above manually run PS script) to make the command run as a user from the AD server instead. How to achieve that ?

Is it something that i have to under Orchestration-->Credentials ? or pass a parameter in the powershell activity command script ?

Thanks,

Ishan Parikh

Further updates during the day

I tried with below PS code in my mid server from PS module and it is working as expected:

Import-Module ActiveDirectory

$User = Get-Credential -Credential 'Domain\UserName'   (The only glitch here is that i have to enter password while executing so a manual intervention)

Get-AdGroup -identity "test135" | Add-ADGroupMember -Members "testaccount" —Server "servername.domain.xyz.net" -Credential $User -Confirm:$false

Now if i run the same code via Run PowerShell activity it is taking like 5minutes to run through the activity and it is given result as success but with NO DATA BUS OUTPUT, basically it is not performing the action as well. I figured out that we need a manual intervention while running the above code so that is where the problem is.

Can you help me how to setup a credential for a service account for the AD server that i am trying to hit via powershell script or via credential properties under orchestration ? Or any other suggestion from your experience.

I feel like i am ready with the code and powershell command but i am just missing the authentication layer which is not executing it from orchestration workflow.

Thanks,

Ishan Parikh

Hi chadlockwood,

Thanks for replying.

1) I have a $Account on my mid server which runs the powershell command and that $Account is not having access to add or remove users on the AD domain so i thought of passing the AD server credentials via the script and execute in that manner via below script.

2) I also have a service account created on AD Server (via AD team) which have the rights to add or remove users on that domain. As per your suggestion i think i should use this service account via my mid server to execute the powershell commands so that i dont have to worry about passing credentials.

Can you let me know what steps should i take to "run the MID server service using a service account from the associated domain" as mentioned by you.

Bear with me, if i am being too naive.

Thanks,

Ishan Parikh