I’m trying from my computer to make a script that will cover all step of user creation. One of this steps is to add a user from my domain to a “local domain group” of another domain.
if you’re doing Invoke-Command against DC.AD2.LAN and then in your script block you’re using cmdlets that require authentication against remote hostDC.AD1.local, then you’re probably running in to the Kerberos double-hop.
Also, I don’t see that you are providing alternate credentials in your scriptblock when doing work against the other domain. Even if you were I think it would fail because of the kerberos double-hop, but, since you aren’t it means all of the cmdlets in your script block are running as whatever account you used to created $session with.
yeah if you google it you’ll find dozens of articles on it: https://www.techtarget.com/searchwindowsserver/tutorial/How-to-avoid-the-double-hop-problem-with-PowerShell
I’m not sure I’m understanding your AD setup or why an Admin account in AD2.lan would inherently have rights in AD1.local but I don’t think that matters because this is definitely the kerberos double hop.
Lots of people have this issue that have to use jump boxes to complete tasks on servers.
Well, those two domains trust each other and i can (with GUI or CLI) list and fetch user from the other domain without having to change credential.
like in the previous exemple, i’m adding a user from AD1 in a group of AD2.
this is the error i get when i do the invoke-command :
Get-ADUser : Impossible de contacter le serveur. Il se peut que le serveur n’existe pas, est actuellement hors service ou ne dispose pas des services Web Active Directory.
Au caractère Ligne:1 : 9
+ $user = Get-ADUser -Filter "SamAccountName -eq '$userName'" -Server $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
The French error message:
“Impossible de contacter le serveur. Il se peut que le serveur n’existe pas, est actuellement hors service ou ne dispose pas des services Web Active Directory.”
Translates to English as:
“Unable to contact the server. The server may not exist, is currently unavailable, or does not have Active Directory Web Services.”
and by the way, thanks for the answers ! I’ll try the double hop thingy stuff
It’s not a permission issue. The double hop means the credentials (the user you are running as) can’t be used to make another hop without configuring delegation. You could also use a different set of credentials to execute the second hop as to it, it is the first hop. You can easily confirm the double hop issue by RDP to the same system and run the scriptblock there and if it succeeds, that confirms double hop.