SharePoint 2013 and One-Way Forest Trusts

Hello Everyone,

Simple fix for a environment where you have a one way forest trust between an environment that hosts a SharePoint site and several other forests where you would like to use those accounts to login to the site. After establishing required trusts and domain settings the only SharePoint setting that needs to be updated is the people picker. The people picker only looks up naively to the local forest. The steps to get this working are as follows:

1. Create service accounts in each other forest that will be used to
2. Execute the following command, you will need to adjust it for your environment in this sample i’m adding 3 forests.

stsadm -o setproperty -url https://intranet.cotoso.com -pn peoplepicker-searchadforests -pv "forest:ad.acme.com,acme\sp_adtrust,password; forest:northwinds.local,northwinds\sp_adtrust,password; forest:ad.microsoft.com,microsoft\sp_adtrust,password"

Note: you always need to add ALL the domains if your updating just one it will override the ones saved. So make sure to include existing ones if your just adding one.

Active Directory Stale Account Management

Recently had a client that would like to automate stale account management without investing in a full blown identity management solution. Here is the script I came up with.

  • Gets users that have not logged in 90 days
  • Counts and sends email to administrator of accounts that where disabled
  • Sets user description with date of disabled as well as that it was disabled by the script
  • Finally it disables the accounts

There are more elegant solutions and scripts feel free to improve as you wish.

function sendMail{

#Set Date
$90Days = (get-date).adddays(-90)

#get Users before or equal to that date & enabled
$todisable = Get-ADUser -SearchBase "OU=Users,DC=contoso,DC=com" -filter {(lastlogondate -le $90days) -AND (enabled -eq $True)} -Properties lastlogondate

#count the users
$count = $todisable.count

#edit the description
$todisable | Set-ADUser -replace @{description="$($_.description) Disabled By Stale User Script $(get-date -format d) "}

#disable the accounts
$todisable | Disable-ADAccount

#SMTP server name
$smtpServer = "exch.contoso.com"

#Creating a Mail object
$msg = new-object Net.Mail.MailMessage

#Creating SMTP server object
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

#Email structure
$msg.From = "script@contoso.com"
$msg.ReplyTo = "script@contoso.com"
$msg.subject = "Stale User Script has Disabled $count Accounts"
$msg.IsBodyHtml = $True
$msg.body = $todisable | Select-object name,DistinguishedName,LastLogonDate | ConvertTo-Html -Head $style | out-string
#Sending email


I used some information from here http://blogs.msdn.com/b/rkramesh/archive/2012/03/16/sending-email-using-powershell-script.aspx for the mail information.