Hello,
I am trying to add a forest group (DomainRemote\Domain Users) to computer objects ACE's under DomainLocal. Then (when this works) I should set "Allow to authenticate" to Deny so Remote Users from our 1-way trust with the remote domain cannot login in our LocalDomain.
Local Active directory: DomainLocal
Remote Active directory: DomainRemote
What I did is create 2 connections: $forestDomainLocal and $forestDomainRemote.
$forestDomainRemote = Connect-QADService -Service 'DCREMOTE.remote.com' -Credential $credsRemote
$forestDomainLocal = Connect-QADService -Service 'DCLOCAL' -Credential $credsLocal
I read on this forum that we should first get the group from the remote domain, place it in a variable and then use the variable with the other connection.
$DomainRemoteGrp = Get-QADGroup 'Domain Users' -Connection $forestDomainRemote
Add-QADPermission 'CN=SHSQLTEST01,OU=SERVERS_TEST,DC=adm,DC=local,DC=domain,DC=com' -Account $DomainRemoteGrp -Rights GenericAll -Connection $forestDomainLocal
The last command doesn't work because he is still trying to search the GROUP $DomainRemoteGrp in the LOCAL AD.
WARNING: Can't lookup account for identity: 'CN=Domain Users,CN=Users,DC=RemoteDomain,DC=com'
WARNING: No valid accounts specified. Searching permissions for all accounts.
Add-QADPermission : Object reference not set to an instance of an object.
Does someone has an idea how I can get this working?
Regards
Stijn