Problem with INVOKE-COMMAND in AD Forest

Hi everyone and thanks for the help,

I’m trying from my computer to make a script that will cover all step of user creation. One of this steps is to add a user from my domain to a “local domain group” of another domain.

Here is what we came up with that doesn’t work :

Invoke-Command -Session $session -ScriptBlock {
                                param($groupName, $user, $SecondaryServer)
                                $user1 = Get-ADUser -Filter "SamAccountName -eq '$user'" -Server $SecondaryServer
                                Add-ADGroupMember -Identity $groupName -Members $user 
                                Write-Host "User '$user' successfully added to group '$groupName'"
                            } -ArgumentList $selectedGroup.Name, $user, $SecondaryServer

But when connect on DC.AD2.LAN , this works :

$SecondaryServer = "DC.AD1.local"

$userName = "user.exemple.1"

$user = Get-ADUser -Filter "SamAccountName -eq '$userName'" -Server $secondaryServer

Add-ADGroupMember -Identity "group.exemple.1" -Members $user -ErrorAction Stop

I get an error in get-aduser where it says the server can’t be reached.

Here a few facts :

  • a ping of DC.AD1.local inside the invoke-command will work
  • ADWS is running

i’m going to draw something that, i hope, will help. also, I’ll edit for readability. thanks

if you’re doing Invoke-Command against DC.AD2.LAN and then in your script block you’re using cmdlets that require authentication against remote hostDC.AD1.local, then you’re probably running in to the Kerberos double-hop.
Also, I don’t see that you are providing alternate credentials in your scriptblock when doing work against the other domain. Even if you were I think it would fail because of the kerberos double-hop, but, since you aren’t it means all of the cmdlets in your script block are running as whatever account you used to created $session with.

1 Like

“then you’re probably running in to the Kerberos double-hop.”

Is that a famous thing that’s not possible ?

I’m connecting as admin.ad2.lan so i should be able to just add a user from the other domain.

The following works when used in another script ran on DC.AD2.LAN) :

$user = Get-ADUser -Filter "SamAccountName -eq '$samAccountName'" -Server $secondaryDC -ErrorAction Stop
Add-ADGroupMember -Identity $groupName -Members $user -ErrorAction Stop

So in this instance, it doesn’t feel like it’s a credential issue. But i’m no expert :smiley:

yeah if you google it you’ll find dozens of articles on it:
https://www.techtarget.com/searchwindowsserver/tutorial/How-to-avoid-the-double-hop-problem-with-PowerShell
I’m not sure I’m understanding your AD setup or why an Admin account in AD2.lan would inherently have rights in AD1.local but I don’t think that matters because this is definitely the kerberos double hop.
Lots of people have this issue that have to use jump boxes to complete tasks on servers.

1 Like

Well, those two domains trust each other and i can (with GUI or CLI) list and fetch user from the other domain without having to change credential.

like in the previous exemple, i’m adding a user from AD1 in a group of AD2.

this is the error i get when i do the invoke-command :

Get-ADUser : Impossible de contacter le serveur. Il se peut que le serveur n’existe pas, est actuellement hors service ou ne dispose pas des services Web Active Directory.
Au caractère Ligne:1 : 9
+ $user = Get-ADUser -Filter "SamAccountName -eq '$userName'" -Server $ ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

The French error message:
“Impossible de contacter le serveur. Il se peut que le serveur n’existe pas, est actuellement hors service ou ne dispose pas des services Web Active Directory.”
Translates to English as:
“Unable to contact the server. The server may not exist, is currently unavailable, or does not have Active Directory Web Services.”

and by the way, thanks for the answers ! I’ll try the double hop thingy stuff

It’s not a permission issue. The double hop means the credentials (the user you are running as) can’t be used to make another hop without configuring delegation. You could also use a different set of credentials to execute the second hop as to it, it is the first hop. You can easily confirm the double hop issue by RDP to the same system and run the scriptblock there and if it succeeds, that confirms double hop.