PowerShell: Trigger Azure AD Sync on Remote Server as a Domain Admin

# Check whether a given username matches the list of Domain Admins
function validateDomainAdminMembership{
param (
[string]$username
)
$matchedAdmin=$username -in $domainAdmins
if($matchedAdmin){
Write-Host "$username is a Domain Admin";
return $True;
}else{
Write-Host "$username not a Domain Admin.";
return $False;
}
}

function testCredential{
param (
[string]$username,
[string]$password
)
$plaintextPassword = (New-Object System.Management.Automation.PSCredential 'N/A',$providedPassword).GetNetworkCredential().Password
$domainBindTest = (New-Object System.DirectoryServices.DirectoryEntry($domainObject,$username,$plaintextPassword)).DistinguishedName
if ($domainBindTest){return $True;} else{Return $False;}
}

function obtainDomainAdminCred{
$domainAdmins=(Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Where-Object {$_.Enabled -eq $True}).SamAccountName
$global:cred=$False
do {
$providedID=Read-Host -Prompt 'Input a domain admin username'
if (validateDomainAdminMembership $providedID){
$providedPassword = Read-Host -assecurestring "Please enter the password"
#$providedPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
#$providedCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $providedID,$providedPassword
$goodCredential=testCredential -username $providedID -password $providedPassword
if($goodCredential){
"Domain Admin Credential validated!";
$global:cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $providedID,$providedPassword;
#return $True;
}
else{
"Password doesn't match.";
$global:cred=$False;
#return $False;
}
}else{
"Try again..."
#return $False;
}
} until ($cred)
}

function validateCurrentAccountAsDomainAdmin{
if((whoami /groups) -match 'domain admins'){
"This account is a Domain Admins member";
return $True;
}else{"This account is NOT a Domain Admins member";return $False;}
}

If(!(validateCurrentAccountAsDomainAdmin)){obtainDomainAdminCred;}

# Query Active Directory to obtain the Azure AD Connect servername
$adConnectServers=(Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Description | %{[void]($_ -match "computer\s'(.+)'\sconfigured");$matches[1]}
#if ($adConnectServers.GetType().Name -eq "String"){$serverName = $adConnectServers}else{$serverName = $adConnectServers[0]}

foreach ($servename in $adConnectServers){
"Invoking command on $servename`r`nStart-ADSyncSyncCycle -PolicyType Delta...";

$result=Invoke-Command -computername $serverName -scriptblock {
$value=Start-ADSyncSyncCycle -PolicyType Delta;
return $value.Result;
} -credential $cred

if ($result.Value -like 'Success'){break;}
}

"`r`nDone. Press Enter to close window."
pause;

Sample output:

Invoking command on ADKONNECTSHERVER01
Start-ADSyncSyncCycle -PolicyType Delta...

PSComputerName RunspaceId Result
-------------- ---------- ------
ADKONNECTSHERVER01 031af674-3bca-407c-bfab-d9ffb94123ab Success

Leave a Reply

Your email address will not be published. Required fields are marked *