In a big organization, there could be several domains. When users are moved across the domains, I need a script to identify what users are from other domains.
In my test environment, I set up an Active Directory infrastructure according to the following diagram from TechNet.
I have 3 domain controllers in the forest.
- DC1.mike.com: This is my first domain controller in the mike.com domain.
- DC2.child.mike.com: The Global Catalog DC in the child domain.
- DC3.child.mike.com: The Domain Controller in the child domain.
There are two ways that can do the search.
- Active Directory Administrative Center (ADAC)
If you only want to search a single user, Active Directory Administrative Center is the fastest way.
Select the Global Catalog Search in the scope of GLOBAL SEARCH, and type the user`s name in the search box.
Here is the search result.
The search uses the ANR(Ambiguous Name Resolution) LDAP filter in Active Directory.
Base on the Schema Version, it will return the result matched the displayName, givenName, Name, sAMAcountName, or sn…in the AD object.
How do I know it used ANR filter? In the ADAC, it shows what PowerShell command ran to perform the job. This is very useful when you need to write a script according on the search criteria.
- PowerShell
The goal of this post is to identify the AD users who are from the different domains. Therefore, a PowerShell script will be the better way to do it. I will use the cmdlet I found in the ADAC to create a script.
Here is an example.
Example:
I moved Sales Specialists from A domain to B domain for a project. Everyone has a directory in the B domain. The folder`s name are their sAMAccountName. After the project is complete, the Sales Specialist user objects are moved back to the A domain.
Now, I need to find the folder that does not belong to the B domain user, and who is the owner. Since the user is not in the domain, we will use global search.
# This script will check the user`s samaccountname and list the users who are not in the domain. # Change The file path here. $filepath = "C:\temp\shares" $allfolders = Get-ChildItem -Directory -Path $filepath $obj2=@() foreach($folder in $allfolders){ try{ if(Get-ADUser $folder.name -ErrorAction Stop){ $AD="Y" } } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]{ $AD="N" $displayname = Get-ADObject -LDAPFilter "samaccountname=$($folder.name)" -Server "dc1.mike.com:3268" -Properties * |select -ExpandProperty displayname $DistinguishedName = Get-ADObject -LDAPFilter "samaccountname=$($folder.name)" -Server "dc1.mike.com:3268" -Properties * |select -ExpandProperty DistinguishedName $obj=[pscustomobject]@{ ID = $folder.Name Name = $displayname DistinguishedName = $DistinguishedName } $obj2 +=$obj } } $obj2|ft # Export to csv $csvpath = "c:\temp\export.csv" $obj2|Export-Csv -Path $csvpath -NoTypeInformation
Line 11: To identify whether the user is in the domain.
Line 17,18: If the user is not in the domain, use global search to find the user information.
Notice in -Server “dc1.mike.com:3268”, I used port 3268. It means that this is a global catalog query.
I ran the script in the child domain(child.mike.com), but you can see the result returned the information from the parent domain (mike.com).