locked
Get Group membership in different domain RRS feed

  • Question

  • I need to get AD Group Membership from a group in a domain (same forest) different than the user executing the command.

    Example:

    Root Forest: ForestA

    Child Domains: DomainA DomainB

    Group and users in DomainB

    User executing command is in DomainA

    I have solved this by doing this by using DA creds from DomainB but I want to be able to execute this as a user in DomainA

    $BGroup =  "CN=BGROUP,OU=Groups,DC=DomainB,DC=ForestA,DC=com"
    $BGroupMembers = get-adgroup $BGroup -Server DC1.DomainB.forestA.com | Get-ADGroupMember -credential DomainB\admin2 -Server DC1.DomainB.forestA.com
    I do not want to have to enter credentials as I need users in DomainA that are not Domain Admins be able to execute this.  The account I'm using in DomainA has full control rights over the group and all the members in Domain B.

    Thursday, March 26, 2020 6:07 PM

Answers

  • If you can get the group's properties you should be able to get the membership from the 'members' property. Iterating over the items in the members property you can use the distinguishedName to feed a ForEach loop containing a Get-ADObject.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 6:56 PM
  • It is not the DC it is the command across Domains that is the issue.  There are known issues with this command and multiple domains.  There is even a function written to replace this for getting members of a group from multiple domains but the group has to still be in the domain you are executing from.

    Get-ADGroupMemberFix is the created function.

    Anyways what I need is a different method than using get-adgroupmember to get the group members for the group in DomainB.

    Which is what we were testing for.  The issue can be resolved by removing foreignsecurityprinciples from the group.

    Here is another thig to try that will work if the issue is cased byt the above issue:

    Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com -properties members |
        Select-Object -ExpandProperty members |
        Get-AdObject


    \_(ツ)_/

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:03 PM
  • It looks like this worked: 

    Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com -properties members |
        Select-Object -ExpandProperty members |
        Get-AdObject -Server DC1.ForestA.com:3268

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:19 PM
  • After looking at this and looking at what is working I was actually able to fix my get-adgroupmemberfix function.

    Here is the new code that is tested working.  Thank you everyone for all the help!

    Function Get-ADGroupMemberFix {
        [CmdletBinding()]
        param(
            [Parameter(
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
            )]
            [string[]]
            $Identity
        )
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member -Server DC1.ForestA.com:3268
                if (-not $Group) {
                    continue
                }
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member -Server DC1.ForestA.com:3268 
                }
            }
        }
    }

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:51 PM

All replies

  • I don't think this is a Powershell problem. What permissions do the users in DomainA have on the group in DomainB? I'm pretty sure they'd need permission to read the "memberof" property.

    You might want to ask this question in an AD forum.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Thursday, March 26, 2020 9:57 PM
  • Rich,

    as I stated above:

    The account I'm using in DomainA has full control rights over the group and all the members in Domain B.

    All accounts in DomainA have READ access of DomainB so reading is not the problem.

    Thursday, March 26, 2020 10:05 PM
  • This is what the GC was built for. Just use a GC query and inter-domain issues will go away.


    \_(ツ)_/

    Thursday, March 26, 2020 11:54 PM
  • Well, then as JRV suggested, remove the -Server parameter and value from the Get-ADGroup and Get-ADGroupMember cmdlets.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, March 27, 2020 2:23 AM
  • Well, then as JRV suggested, remove the -Server parameter and value from the Get-ADGroup and Get-ADGroupMember cmdlets.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    You need to specify a GC server as teh target.  The GC server has to be in the current domain.  If the user has read permission on theoblects then they will be able to see them but the trusts must be working correctly.

    To use a GC server add the GC port to the NetBios server name,

    Get-AdGroup -Server GCNAME:3268

    There is no need to add this to pipelined CmdLets.  It will propagate through:

    Get-AdGroup -Server GCNAME:3268 ... | Get-AdGroupMember



    \_(ツ)_/

    Friday, March 27, 2020 4:09 AM
  • Hello,

    Thank you for posting in our TechNet forum.

    Was above information  useful for you? If you still have problems, please contact with us.

    Jolin

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 27, 2020 6:06 AM
  • So when I run the command as you suggest I get:

    Get-ADGroupMember : An operations error occurred

    I can run this command this way if the group is in DOMAINA but when the group is in DOMAINB it fails.

    Just to get away from the rights discussion I have did an effective access lookup on the Account in DomainA running the command and it has Read All Properties enabled and also verified that this includes read memberof.
    • Edited by jLawson23 Friday, March 27, 2020 12:34 PM Additional Information
    Friday, March 27, 2020 12:19 PM
  • So when I run the command as you suggest I get:

    Get-ADGroupMember : An operations error occurred

    I can run this command this way if the group is in DOMAINA but when the group is in DOMAINB it fails.

    You need to use the GC server for this and you need to have cross domain provilleges.

    To test this just query the GC server for one group with the GroupMember Cmdlet only.

    Get-GroupMember <group samaccountname name> -Server <GCNAME>:3268

    The samaccountname  will return all domains that have a group with that name.


    \_(ツ)_/

    Friday, March 27, 2020 12:36 PM
  • I ran the command you mention except that it is Get-ADGroupMember and here is the error that comes back:

    Get-ADGroupMember : The operation is not supported on Global Catalog port.

    Friday, March 27, 2020 12:44 PM
  • Sorry.  That is correct.  I forgot that that is one of the commands thaat the GC soesn't support.

    You will need to query the remote domain directly If it fails then you don't have permission or the trust is disrupted in some way.   Test conenctivity with a simple command like getting users from teh remote Domain with:

    Get-AdUser -Filter * -Server <remote dc>

    You can also use the domain URL.

    Get-AdUser -Filter * -Server domB.foerst.com


    \_(ツ)_/

    Friday, March 27, 2020 1:14 PM
  • This command works just fine:

    Get-ADUser -Filter * -searchbase "DC=DomainB,DC=ForestA,DC=com" -Server  DC1.ForestA.com:3268

    Friday, March 27, 2020 1:21 PM
  • This command works just fine:

    Get-ADUser -Filter * -searchbase "DC=DomainB,DC=ForestA,DC=com" -Server  DC1.ForestA.com:3268

    I didn't say to do it against the GC in the local domain.  You need to query the remote domain - DomainB

    Get-ADUser -Filter *  -Server  DomainB.ForestA.com


    \_(ツ)_/


    • Edited by jrv Friday, March 27, 2020 1:31 PM
    Friday, March 27, 2020 1:31 PM
  • This command worked just fine:

    Get-ADUser -Filter * -searchbase "DC=DomainB,DC=ForestA,DC=com" -Server  DC3.DomainB.ForestA.com

    Friday, March 27, 2020 3:12 PM
  • Now try it with Get-AdGroup


    \_(ツ)_/

    Friday, March 27, 2020 4:01 PM
  • Get-ADGroup works

    Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com

    Friday, March 27, 2020 4:32 PM
  • Now add "| Get-AdGroupMember" to the end.

    \_(ツ)_/

    Friday, March 27, 2020 4:45 PM
  • Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com | get-ADGroupMember

    Get-ADGroupMember : An operations error occurred

    Friday, March 27, 2020 4:48 PM
  • Now try this to find out what is broken:

    get-ADGroupMember groupsamname -Server  DC3.DomainB.ForestA.com


    \_(ツ)_/

    Friday, March 27, 2020 4:59 PM
  • get-ADGroupMember $BGroup -Server  DC3.DomainB.ForestA.com

    Get-ADGroupMember : An operations error occurred

    Friday, March 27, 2020 5:47 PM
  • You have an issue with the remote DC.  Try using the domain without the DC.

    get-ADGroupMember groupsamname -Server  DomainB.ForestA.com

    This will allow Windows to select an available DC. Hopefully it will pick a different DC.


    \_(ツ)_/

    Friday, March 27, 2020 5:54 PM
  • It is not the DC it is the command across Domains that is the issue.  There are known issues with this command and multiple domains.  There is even a function written to replace this for getting members of a group from multiple domains but the group has to still be in the domain you are executing from.

    Get-ADGroupMemberFix is the created function.

    Anyways what I need is a different method than using get-adgroupmember to get the group members for the group in DomainB.

    Friday, March 27, 2020 6:33 PM
  • If you can get the group's properties you should be able to get the membership from the 'members' property. Iterating over the items in the members property you can use the distinguishedName to feed a ForEach loop containing a Get-ADObject.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 6:56 PM
  • It is not the DC it is the command across Domains that is the issue.  There are known issues with this command and multiple domains.  There is even a function written to replace this for getting members of a group from multiple domains but the group has to still be in the domain you are executing from.

    Get-ADGroupMemberFix is the created function.

    Anyways what I need is a different method than using get-adgroupmember to get the group members for the group in DomainB.

    Which is what we were testing for.  The issue can be resolved by removing foreignsecurityprinciples from the group.

    Here is another thig to try that will work if the issue is cased byt the above issue:

    Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com -properties members |
        Select-Object -ExpandProperty members |
        Get-AdObject


    \_(ツ)_/

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:03 PM
  • Here's the link to the discussion jLawson23 was referring to:

    https://stackoverflow.com/questions/58221736/powershell-5-1-16299-1146-get-adgroupmember-an-operations-error-occurred

    Wouldn't organizing the membership into Domain Global groups and then making each of those groups a member of a Universal group be a way to avoid the problem? Using the -Recursive parameter on the Get-ADGroupMember should give equivalent results.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)


    Friday, March 27, 2020 7:06 PM
  • Rich and JRV thank you I'm going to test this out!

    Friday, March 27, 2020 7:07 PM
  • Rich any idea why he get-adgroupmemberfix won't work for the group in another domain?

    I use the function all the time, sure would be nice if I could figure out how to fix that function!  It is always a group though in DOMAINA and provides members from the entire forest.

    So there is some minor differences from the version in this post vs the version I'm using which is:

    Function Get-ADGroupMemberFix {
        [CmdletBinding()]
        param(
            [Parameter(
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
            )]
            [string[]]
            $Identity
        )
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                if (-not $Group) {
                    continue
                }
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member -Server DC1.ForestA.com:3268 
                }
            }
        }
    }

    Friday, March 27, 2020 7:13 PM
  • It looks like this worked: 

    Get-ADGroup $BGroup -Server  DC3.DomainB.ForestA.com -properties members |
        Select-Object -ExpandProperty members |
        Get-AdObject -Server DC1.ForestA.com:3268

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:19 PM
  • If that works then your forest has issues.  The fact that you can retrieve from the local GC and not a remote domain means that something is not working in your forest.

    The issue the the Fix you posted was for was to overcome issues with ForeignSecurityPrincipals.  That issue was supposed to be fixed by at least 2012.  Of course your company may be running 2008 or earlier DCs which will also cause cross forest issues.  

    I am not sure but it may be that upgrading to 2012 or later without raising the functional level of the domains and the forest (which updates the schema) may also cause issues.  

    When I ran into the Get-AdGoupMember issue the error was always "error chasing referrals".  YOur error indicates a strucural issue with teh domain or forest.


    \_(ツ)_/

    Friday, March 27, 2020 7:28 PM
  • After looking at this and looking at what is working I was actually able to fix my get-adgroupmemberfix function.

    Here is the new code that is tested working.  Thank you everyone for all the help!

    Function Get-ADGroupMemberFix {
        [CmdletBinding()]
        param(
            [Parameter(
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
            )]
            [string[]]
            $Identity
        )
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member -Server DC1.ForestA.com:3268
                if (-not $Group) {
                    continue
                }
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member -Server DC1.ForestA.com:3268 
                }
            }
        }
    }

    • Marked as answer by jLawson23 Friday, March 27, 2020 8:42 PM
    Friday, March 27, 2020 7:51 PM
  • Our AD environment is all 2016 DC's running at a forest/domain functional level of 2008R2.  There is no issues with the AD environment.  This I know.

    This has been a known issue online regarding Get-adgroupmember and you can see this by doing a search.

    If raising the functional level of the domain or upgrading domain controllers fixed this command it would be discussed online but no where in the 1000's of post regarding this issue does it ever say the fix is to perform any of those steps but maybe this is the resolution...  We used to be 2008R2 DC's across the board and all of those DC's are gone as we upgraded in January to 2016.  I have had this issue for years.

    I really appreciate everyone's help regarding figuring this out but do not agree there is a forest issue in our environment.


    • Edited by jLawson23 Friday, March 27, 2020 8:01 PM
    Friday, March 27, 2020 7:57 PM
  • Yes but your error is not what the issues are about.    As far as I know there is no MS document that says this is an error. It has always been a side issue.

     vI am pretty sure that level 2008 is not changing the schema foor the foreign accounts.  Of course that is not your issue.  Your error indicates an issue with the forest.  It doesn't matter which object throws that error or why.

    You have working code so let it be.


    \_(ツ)_/

    Friday, March 27, 2020 8:39 PM
  • Once we raise our domain forest level I will for sure test and if it fixes it I will come back here and respond.

    Thanks again everyone!

    Friday, March 27, 2020 8:41 PM
  • Changing the forest level will not fix the issue you are seeing.  It only fixes the one caused by "chasing referrals".  Your issue is sometinhg to do with teh forest. It is tellng you that ther eis an issue.

    I have seen this with other CmdLets.  Restarting ADWS has fixed this error but not for all instances.  Other times the DCs had to be rebooted.  I have never seen a diagnostic that gave a hint as to why this was happening and the diagnostics don't address ADWS as far as I know,


    \_(ツ)_/

    Friday, March 27, 2020 9:11 PM