This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 83%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP7%3C/text%3E%3C/svg%3E)
Hello,
I have two domains A and B with a two-way trust relationship.
I want to search for a domain A user through a domain B account.
I tried the following command but I got a return that it can't find the information.
Get-AdUser -Server "Domain_A" -Identity "Name_of_account" -Credential "Domain_B\Account" -Properties *
The computer with powershell does not have access to the network of domain A, it must make the request on domain B which interrogates domain A and get the answer of domaine B.
Is it possible ?
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Are they two domains in the same forest, or are they two forests?
Your problem is probably that Kerberos authentication is being used and the other domain (forest?) has no way to verify the authenticity of the certificate.
Or it may be that WinRM doesn't trust the other server. Try running this on the CLIENT machine:
Set-Item wsman:localhost\client\trustedhosts *.domain.name
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
It can be a network flow issue, Try to specify a domain controller name of domain name :
Get-AdUser -Server "DC.Domain_A.local" -Identity "Name_of_account" -Properties *
It's not necessary to add a credential from target domain.
Please don't forget to mark helpful reply as answer
Hi
Thanks for your answer.
It's two domain and two forest.
IF I understood correctly:
1 - / I query the DNS of my domain B, to obtain information about an account in domain A.
2- / DNS of domain B looks and sees that there is a conditional forwarder for domain A. It sends the query back to DNS of domain A
3- / Domain A answer to domaine B
4- / Domain B give the answer at the computer.
I don't have network access to query domain B DNS, Because the relationship of trust between the two domains allows information to be shared.
Is it OK ?
Can the DC in Domain "B" access the DC in Domain "A"? Since your workstation does not have the ability to connect to the DC in Domain "A" you'll have to work from the the DC (or some other machine) in Domain"B".
You can't simply us an "Invoke-Command" from your workstation an have the Get-ADUser run on the DC in Domain "B" without running into the "Second-Hop Problem". While the Second-Hop problem can be overcome, it can't be done without cooperation from the administration team in both domains. They'll have to allow a much laxer form of authentication.
Hi
Sorry for late answer.
Yes, the DC in Domain B can access in DC domain A. ( Network is open inside the two DC )
Sorry, I'm a noob. I don't understand the following sentence: it can't be done without cooperation from the administration team in both domains
Does that mean that without opening the network access, it will not be possible?
Thanks in advance
The network folks can open the firewall to let your machine access access resources in the other domain.
Or you could log on to a DC and run your data gathering script(s) from there. That would involve just the admins from your domain.
Or you could use Invoke-Command from your machine to run your stuff on a DC in your domain and that DC would get the information from the other network. But that would probably not work without getting around the "Second Hop Problem". Getting that to work would need cooperation from both Domains because it usually means using a more "relaxed" method of authentication.
Keep in mind that at trust allows authentication to take place, it does not allow access to a restricted network -- although without the ability to access any resources in the "other" domain using credentials from "your" domain a trust doesn't accomplish much.