If you're getting referral errors from your PowerShell scripts trying to enumerate users the problem is most likely your LDAP search scope. An LDAP referral error occurs when you're searching in a ___domain that doesn't contain the user you're looking for. For example, if you're looking for user cn=foo,dc=HQ,dc=contoso,dc=com, but your search scope is set to dc=contoso,dc=com, the server may return a referral error. Some LDAP applications can handle referrals but for scripting you may want to try something less complex.
In the below example I contact the AD Global Catalog (GC) for the current ___domain and search for the AD "mail" attribute. The GC contains limited records of every AD object in the Forest. If I find the object I then get it's Distinguished Name (DN). The DN that returns can be from a ___domain other than the current ___domain (ex. cn=foo,dc=HQ,dc=contoso,dc=com). Then I cast the DN to an ADSI object so I can get/update it's properties. This gets you around the referral error!
# Contact AD Global Catolog to search for email address
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = [ADSI]"GC://$($dom.Name)"
$search = new-Object System.DirectoryServices.DirectorySearcher($root,"(mail=$stmail)")
$result = $search.FindOne()
if($result -ne $null)
{
$user = $result.GetDirectoryEntry()
#write-host "User: " $user.distinguishedName " found" -ForeGroundColor Green;
# cast each member as an ADSI object
$user2 = $user.distinguishedName
$adsPath = 'LDAP://' + $user2
$account=[ADSI]$adspath
$account.setinfo()
#update all users
$account.put($ManagerURI, $GrooveManager)
$account.setinfo()
write-host " Provisioned account: " $account.distinguishedName " " -ForeGroundColor Green;
$counter++
}
else
{
#$stmail
write-host " Error: Member Email does not exist in Active Directory Global Catalog" -ForeGroundColor Red;
}