How can I get the Fully Qualified Domain Name (FQDN) for a user on a different, trusted domain?
Normally, I would ask said user to take any one of the approaches outlined here (e.g. whoami /fqdn or echo %userDNSdomain%), but if this approach isn't available for whatever reason (e.g. the account is a proxy account that I am unable to log in with interactively, the company I'm working for was acquired and the new owners aren't as forthcoming, etc.), is there a way I can get this different user account's FQDN?
Alternatively, taking the approach of "emulating" the FQDN being returned by my user credentials is also prone to error. Take for example the output of running whoami /fqdn as my user:
C:\Users\john.eisbrener>whoami /fqdn
CN=John M. Eisbrener,OU=Standard Users,OU=Resources,DC=CONTOSO,DC=COM
I could conceptually adjust the CONTOSO Domain Component to the other, trusted domain, with the expectation that it follows the same structure, but that would be short sighted as not all domains follow the same naming convention. I've seen too many trusted domains using .org or including additional domain prefix or suffixes within their LDAP root path.
The main driver to all of this is that I need to pass the proper Domain Components to the following PowerShell queries which I rely on when trying to find what user groups and user names may need to be added to certain security groups, file paths, etc.
## List Groups for a Username
$domainName = 'CONTOSO'
$domainSuffix = 'COM'
$username = 'john.eisbrener'
(New-Object System.DirectoryServices.DirectorySearcher((New-Object System.DirectoryServices.DirectoryEntry("LDAP://dc=$($domainName),dc=$($domainSuffix)")), "(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="Group Name";expression={$_.Name}},@{name="Group sAMAccountName";expression={$_.sAMAccountName}}
## List Members in a Group
$domainName = 'CORP'
$domainSuffix = 'ORG'
$groupname = 'RemoteUsers'
(New-Object System.DirectoryServices.DirectoryEntry((New-Object System.DirectoryServices.DirectorySearcher((New-Object System.DirectoryServices.DirectoryEntry("LDAP://dc=$($domainname),dc=$($domainSuffix)")), "(&(objectCategory=Group)(name=$($groupname)))")).FindOne().GetDirectoryEntry().Path)).member | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="User Name";expression={$_.Name}},@{name="User sAMAccountName";expression={$_.sAMAccountName}}
Why can't I install any other components or modules? The computer I'm using is pretty vanilla and doesn't have any extra PowerShell modules or mmc snapins (e.f. dsa.msc) available because my user account doesn't have sufficient privileges to install software.
My current approach to get the FQDN of this other user's domain is to setup a Windows Scheduled Task running as said user, saving the output of the aforementioned whoami /fqdn or echo %userDNSdomain% commands to a text file, but this seems a bit kludgy and I was hoping for a simple one-liner that I could run from the command prompt or a PowerShell prompt. Any suggestions would be appreciated.
Final note, my apologies if my terminology is incorrect or leading to confusion. I'm open to any edits to this from someone that understands what I'm asking.
This should just use .Net classes, so it should work just fine for you.
Function Get-TrustedDomainUser{
Param([String]$Alias)
$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$AllTrusts=$Forest.GetAllTrustRelationships()
$Filter = "(&(sAMAccountName=$Alias)(objectClass=user))"
$Searcher = [adsisearcher]$Filter
ForEach($Domain in $AllTrusts.TargetName){
Write-Host "Trying to find user in $Domain"
$LDAP = 'DC=' + ($Domain.split('.') -join ',DC=')
$Searcher.SearchRoot = "LDAP://$LDAP"
$ErrorActionPreference = 'Stop'
try{
$DomUser = $Searcher.FindAll()
}Catch{
Write-Host "User not found in $Domain"
}
If(!([string]::IsNullOrEmpty($DomUser.Path))){Break}
}
$DomUser
}
Get-TrustedDomainUser -Alias 'SomeUser'
That will get all trusted domains, and then try and find the user in each domain until it finds the user, at which point it returns the user. If you don't like the on screen spam just comment out the Write-Host lines.