Updating AD User Object Manager Attribute With Contact DN

Question

I have two forests after a merger. Managers of some people reside in the opposite forest. To get around this we have contacts in each forest for all the users of the opposite forest. I am trying to update the manager attribute for several users based on a csv import where I am matching on the managers email address. My script can match the DN of the managers contact, but for some reason will not add it to the ad userobject manager attribute stating it cannot find the DN of an object that is clearly present.

If I run a simple get-adobject with an ldap filter it returns the DN of a managers contact:

PS C:\temp> Get-ADObject -ldapfilter "(&(objectclass=contact)(name=$fname*)(name=*$lname))" -SearchBase "OU=station,OU=CONTACTS,DC=workplace,DC=COM" |select distinguishedname

distinguishedname                                        
-----------------                                        
CN=Nick Hill,OU=station,OU=Contacts,DC=workplace,DC=com

However, the script below will error when trying to add this DN to a users manager attribute. What's confusing is the DN it claims it cannot find is clearly present per the command above.

The script below errors with:

set-aduser : Identity info provided in the extended attribute: 'Manager' could not be resolved. Reason: 'Cannot find an object with identity: 'CN=Nick Hill,OU=station,OU=Contacts,DC=workplace,DC=com' under: 'DC=workplace,DC=com'.'.

---

$users = import-csv test1.csv

FOREACH ($user in $users)
 {
    $username = $user.UserName
    $employeeid = $user.employeeid
    $city = $user.city
    $country = $user.country
    $department = $user.department
    $division = $user.division
    $office = $user.location
    $state = $user.state
    $postalcode = $user.postal_code
    $manageremail = $user.manageremail
    $manager = get-aduser -f "mail -eq '$($manageremail)'"

    FUNCTION LocalManager 
    {
     get-aduser -f {mail -eq $username} |set-aduser -Manager $manager
    }

    FUNCTION RemoteManager 
    {
     $data = $manageremail.split("@")
     $name = $data[0]
     $namesplit = $name.split(".")
     $fname = $namesplit[0]
     $lname = $namesplit[1]
     $rmanager = Get-ADObject -SearchBase 'OU=station,OU=Contacts,DC=workplace,DC=com' -ldapfilter "(&(objectclass=contact)(name=$fname*)(name=*$lname))" 
     get-aduser -f {mail -eq $username} |set-aduser -Manager "$rmanager"
    }


    IF ($manager -eq $null)
    {
     RemoteManager
    }
    Else
    {
     Localmanager
    }

 }

Answer 1

I have had a similar error on my own script to handle cross-domain user population. I've exported some of our old decom'd user accounts and am importing them (with suitably generic information) to populate our test/dev environments.

Unfortunately when I try and create these accounts as new users in AD with managers in different domains, I find the following problem:

Set-ADUser : The server is unwilling to process the request At line:1 char:1 + Set-ADUser -Identity $user.SamAccountName -Manager $user.Manager -Ser ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (user.name:ADUser) [Set-ADUser], > ADInvalidOperationException + FullyQualifiedErrorId : > ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.SetADUser

So this was in an attempt to set the user with the manager's DN.

function create-testaccts {

[CmdletBinding()]
param(
    [Parameter(Mandatory=$True,Position=1)]
    [string] $rootPath ,

    [Parameter(Mandatory=$True,Position=2)]
    [string] $userList ,

    [Parameter(Mandatory=$True,Position=3)]
    [string] $pw ,

    [Parameter(Mandatory=$True,Position=4)]
    [string] $OU = $(throw "Please specify a query.")

    )

$newUsers = import-csv $userList
$password = $pw | ConvertTo-SecureString -AsPlainText -Force

foreach ($user in $newUsers){

    $profPath = $rootpath + $user.samaccountname

    try {
        write-host -fore Cyan "Creating the user profile path - $profPath"
        new-item $profPath -ItemType Directory -Force -ErrorAction stop | Out-Null
    }# END OF TRY
    Catch [System.Management.Automation.ActionPreferenceStopException] {
        write-host -fore Yellow "caught a StopExecution Exception - Home directory creation " 
        $error[0]
    }# END OF CATCH

    try {
        Write-Host -Fore Cyan "Creating the user object in AD -" $user.Name 
        # Name              - Name
        # Givenname         - Firstname
        # Surname           - Lastname
        # Password          - AccountPassword Specific to new-aduser
        # SamAccountName    - same in both command/attribute name used userlogon and samaccount
        # Manager           - same in both command/attribute name
        # ProfilePath       - same in both command/attribute name
        # HomeDirectory     - same in both command/attribute name
        # HomeDrive         - same in both command/attribute name
        # Enabled           - False - same in both command/attribute name
        # UserPrincipalName - same in both command/attribute name
        # Server

        $name = $user.Name

        New-ADUser -Name "$name" `
                    -GivenName $user.givenname `
                    -Surname $user.surname `
                    -DisplayName $user.displayname `
                    -SamAccountName $user.SamAccountName `
                    -Path $ou `
                    -AccountPassword $Password `
                    -ProfilePath $user.profilepath `
                    -HomeDirectory $user.HomeDirectory `
                    -HomeDrive $user.homedrive `
                    -Enabled $False `
                    -UserPrincipalName $user.UserPrincipalName `
                    -Server domain.local `
                    -Credential $creds `
                    -ErrorAction Stop

                    #-Manager $user.Manager `
    }# END OF TRY
    Catch [System.Management.Automation.ActionPreferenceStopException] {
        Write-Host -fore Yellow "caught a StopExecution Exception - Account Creation" 
        $error[0]
    }# END OF CATCH

}#END FOREACH NEW USERS
} #END OF FUNCTION (CREATE-TESTACCTS)

When I try and use this with a trusted domain it fails due to the manager DN not being found in the local domain. I've tried multiple ways, but can't seem to find out why it does this and won't seem to chain.

However i found a workaround where i can create the user without the mgr field and then set the user using the following link/command:

https://social.technet.microsoft.com/Forums/office/en-US/ade19ad5-ecfd-48af-987b-5958983676b6/active-directory-update-the-manager-field-when-the-manager-is-in-a-different-domain?forum=ITCG

Set-ADUser -Identity $ADUser_Domain1 -Credential $DomainAdmin_Domain1 -Server $Domain1 -Replace @{manager = $ManagerDN_Domain2}

This works and I have no idea why the replace works, but seems to require the credential being passed. I've even tried with passing the domain 2 credential.

Overall this is very confusing and i feel like if the local session credential has rights between domains it should be able to look this up without issue. Any additional help or explanation would be REALLY helpful!