Powershell – how to get short/netbios name of trusted domain

active-directorypowershell

I have a user object from Active Directory that has properties like distinguished name. I can easily get the domain portion from that, like dc=somedomain,dc=com. If it were the local domain, I could use Powershell: (get-addomain -Identity "dc=mydomain,dc=com").netbiosname to get the short name. But for this external trusted domain, that doesn't work because it just searches within the local domain. Does anyone know of another way to use Powershell to get the short name for the domain of an arbitrary AD user/group?

Best Answer

You just need to add the -Server argument to your Get-ADDomain call that specifies a DC in that forest. If you were on a non-domain joined machine, you could add -Credential to explicitly provide credentials as well. But hypothetically, your trust will pass along your current credentials automatically.

So the new command would look like this:

(Get-ADDomain 'dc=mydomain,dc=com' -Server 'dc.mydomain.com').NetBIOSName

You can also combine it with Get-ADDomainController if you don't already know a DC for the target domain.

$dc = (Get-ADDomainController -Discover -DomainName mydomain.com).HostName[0]
(Get-ADDomain 'dc=mydomain,dc=com' -Server $dc).NetBIOSName

Related Solutions

Powershell – Exporting specific fields with powershell’s export-csv

You want to use the Select-Object cmdlet in place of Format-Table. This should work for you:

| select-object givenname,sn,company,telephonenumber,mail `
| export-csv -Delimiter `t -NoTypeInformation -Path c:\scripts\adexport.csv

Ldap – Can an LDAP query on AD provide the netbios domain name for a single account when using the Global Catalog

I think I figured it out. Using ADSI Edit you can look at properties on an object (e.g., a user), but by default it was filtering out "constructed" attributes. Using the Filter button at the bottom right of the properties screen I was able to show these additional attributes.

The "msDS-PrincipalName" appears to have "[netbios domain name]\[sAMAccountName]" as its value.

If I go into AD Users and Computers and change the "User logon name" from "gwasington@test.kirkdev.local" to "gwash2ington@test.kirk2dev.local" this affects the "userPrincipalName" attribute, but not the "msDS-PrincipalName" attribute. This is good in my case, because my other system (SharePoint) does not recognize this change either.

If I go into AD Users and Computers and change the "User logon name (pre-Windows 2000)" from "KIRKDEV\gwashington" to "KIRKDEV\g2washington" (note, that I cannot change the first part) this does not affect the "userPrincipalName" attribute, but does affect the "msDS-PrincipalName" attribute. This is exactly what I want because my other system (SharePoint) does recognize this change.

Side Note: I said SharePoint does recognize the change, but that is only if the user has never logged into that SharePoint site collection before. Once the user has logged into the SharePoint site collection, the tp_Login field in the UserInfo table is set with the "msDS-PrincipalName" value and that does not seem to change. So, I may have to find a way to force that to be changed or just say that this scenario is not supported.

Best Answer

Related Solutions

Powershell – Exporting specific fields with powershell’s export-csv

Ldap – Can an LDAP query on AD provide the netbios domain name for a single account when using the Global Catalog

Related Topic