Powershell Security Identity Mapping/Name mapping in Active Directory

Question

I have no problem writing up a script to create/update Active Directory users. Now here comes the need to add name mapping to each domain user so that we can use central Kerberos authentication.

PS: I am using QUEST Active Directory module.

I cannot find anything that can achieve this in a Powershell script. Does anyone know? It can be in any language, not necessarily in Powershell. I can always make the Powershell talk to another script to achieve the goal.

Below shows the screen to manually add name mapping.

Answer 1

Warning : the exact syntax is for mapping account is

Set-ADUser "Username" -Add @{'altSecurityIdentities'="Kerberos:ACCOUNT1@DOMAIN","Kerberos:ACCOUNT2@DOMAIN2"}

be sure to add 'altSecurityIdentities'= inside the brackets.

You can use -Add or -Replace depending on what you want to achieve.

Hope this helps.

Answer 2

The secret is this is the altSecurityIdentities attribute.

I spent much time searching the internet looking for a way to do this, and I couldnt find an answer. This microsoft page was the breakthrough I needed.

This is what I've come up with:

You might have to Import-Module ActiveDirectory at the beginning of your script. In my code below, replace USERNAME, but leave the quotes.

Here I'm adding 2 Kerberos Names:

Set-ADUser -Identity "USERNAME" -Replace @{Kerberos:ACCOUNT1@DOMAIN,Kerberos:ACCOUNT2@DOMAIN}

Here I'm inserting a X509 Certificate AND a Kerberos Name:

Set-ADUser -Identity "USERNAME" -Replace @{X509:CERTIFICATEINFORMATION,Kerberos:ACCOUNT2@DOMAIN}

Obviously you can add more or less than 2 by using the comma to delimit the entries. The following command I used to verify that I added the information successfully...but it may be helpful to map a user manually and use this to get an idea of what the formatting should look like:

Get-ADUser -Identity "USERNAME" -Properties * | select altSecurityIdentities

Hope this helps!