PowerShell: Trigger Azure AD Sync on Remote Server as a Domain Admin

# Trigger-AD-Sync.ps1
# Requirements: https://kimconnect.com/powershell-install-rsat/
# This script does these things:
# a. Obtain Domain Admin credential
# b. Find the correct server that runs AD-Sync
# c. Connect to the AD-Sync server and trigger the Delta Sync command

# Check whether a given username matches the list of Domain Admins
function validateDomainAdminMembership{
param (
$matchedAdmin=$username -in $domainAdmins
Write-Host "$username is a Domain Admin";
return $True;
Write-Host "$username not a Domain Admin.";
return $False;

function testCredential{
param (
$plaintextPassword = (New-Object System.Management.Automation.PSCredential 'N/A',$providedPassword).GetNetworkCredential().Password
$domainBindTest = (New-Object System.DirectoryServices.DirectoryEntry($domainObject,$username,$plaintextPassword)).DistinguishedName
if ($domainBindTest){return $True;} else{Return $False;}

function obtainDomainAdminCred{
$domainAdmins=(Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Where-Object {$_.Enabled -eq $True}).SamAccountName
do {
$providedID=Read-Host -Prompt 'Input a domain admin username'
if (validateDomainAdminMembership $providedID){
$providedPassword = Read-Host -assecurestring "Please enter the password"
#$providedPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
#$providedCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $providedID,$providedPassword
$goodCredential=testCredential -username $providedID -password $providedPassword
"Domain Admin Credential validated!";
$global:cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $providedID,$providedPassword;
#return $True;
"Password doesn't match.";
#return $False;
"Try again..."
#return $False;
} until ($cred)

function validateCurrentAccountAsDomainAdmin{
if((whoami /groups) -match 'domain admins'){
"This account is a Domain Admins member";
return $True;
}else{"This account is NOT a Domain Admins member";return $False;}


# Query Active Directory to obtain the Azure AD Connect servername
$adConnectServers=(Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Description|%{[void]($_ -match "computer\s(.*)\sconfigured");$matches[1]}
#$adConnectServers=(Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Description.Trim|%{[void]($_ -match "computer\s(.*)\sconfigured");$matches[1]}
#if ($adConnectServers.GetType().Name -eq "String"){$serverName = $adConnectServers}else{$serverName = $adConnectServers[0]}

foreach ($serverName in $adConnectServers){
"Invoking command on $serverName`r`nStart-ADSyncSyncCycle -PolicyType Delta...";

$result=Invoke-Command -computername $serverName -scriptblock {
$value=Start-ADSyncSyncCycle -PolicyType Delta;
return $value.Result;
} -credential $cred

if ($result.Value -like 'Success'){break;}

"`r`nDone. Press Enter to close window."

Sample output:

Invoking command on ADKONNECTSHERVER01
Start-ADSyncSyncCycle -PolicyType Delta...

PSComputerName RunspaceId Result
-------------- ---------- ------
ADKONNECTSHERVER01 031af674-3bca-407c-bfab-d9ffb94123ab Success
Posted on Categories Codes

Leave a Reply

Your email address will not be published. Required fields are marked *