none
Not Getting users details from trusted domains

    Question

  • Hi Experts.

    I am trying to get the users of Trusted domain from my domain with below commands. It was working fine in starting but now I am getting errors of user not found. Please check and suggest.

    Import-Module ActiveDirectory
    Import-Csv groups.csv | % {
    $group = $_.group
    Get-ADGroup $group -server "contoso.COM" -Properties Members | Select-Object -ExpandProperty Members | Get-ADUser -Properties name,samaccountname,distinguishedname,enabled,country | Select name,samaccountname,distinguishedname,enabled,country,@{l="groupname";e={$group}} | 
    Export-csv addata.csv -NoTypeInformation -Append
    }

    ###################### errors#################

    D:\temp\QK.ps1
    Get-ADUser : Cannot find an object with identity: 'CN=Victor Fernandez 
    (1010101),OU=WWK,OU=na,OU=BAR,OU=Users,DC=DX,DC=com' under: 'DC=Contoso,DC=com'.
    At D:\temp\QK.ps1:6 char:1
    + Get-ADUser -Properties name,samaccountname,distinguishedname,enabled,country |
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (CN=Victor Ferna...s,DC=DX,DC=com:ADUser) [Get-ADUser], ADIdentityNotFoundEx 
       ception
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Micros 
       oft.ActiveDirectory.Management.Commands.GetADUser


    Thursday, December 6, 2018 4:10 PM

All replies

  • Try using the -Server parameter of Get-ADUser to specify the Global Catalog port of a DC. For example:

    -Server MyDC.MyDomain.com:3268

    This will query all partitions in the GC. I believe all of the attributes for the properties you request are replicated to the GC.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 6, 2018 5:34 PM
  • Tried this way as well but no luck..
    Thursday, December 6, 2018 5:47 PM
  • Hello,

    I believe this is an issue with:

    Get-ADGroup $group -server "contoso.COM" -Properties Members

    This above will include group name nested in group you are querying 

    Add the -Recursive to your query so you don't pull any group names. 

    If you use Get-Aduser to a group name it will error?

    Thursday, December 6, 2018 7:05 PM
  • Get-ADGroup : A parameter cannot be found that matches parameter name 'Recursive'.

    Getting this error

    Thursday, December 6, 2018 7:47 PM
  • Get-ADGroupMember has a -Recursive switch, but Get-ADGroup does not.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)


    Thursday, December 6, 2018 8:06 PM
  • It's possible that the group contains the distinguished name of a user that's no longer in the AD.

    Also, you're depending on the group's membership to contain only users. You'll generate errors if you encounter another group in the membership list or, say, a contact (or anything else that can be present in a groups membership).


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Thursday, December 6, 2018 8:14 PM
  • Get-AdUser will fail if the member is a group.

    Import-Csv groups.csv |
        ForEach-Object {
            $group = $_.group
            Get-ADGroup $group -server contoso.COM |
            Get-AdGroupMember |
            Where-Object{ $_.objectClass -eq 'User' } |
            Get-ADUser -Properties name, samaccountname, distinguishedname, enabled, country |
            Select-Object name, samaccountname, distinguishedname, enabled, country, @{ l = "groupname"; e = { $group } }
        }



    \_(ツ)_/




    Thursday, December 6, 2018 8:17 PM
    Moderator
  • Should that added test have been this?

    Get-ADObject | Where-Object{$_.ObjectClass -eq 'User' -and $_.ObjectCategory -eq 'User'} |

    The membership list holds only the distinguished name. You'd have to check the AD Object to know what the DN referred to.

    Also, it might be unusual, but if the membership held (for instance) a computer's DN the Get-ADUser would fail. If you're looking solely for users you have to check the ObjectClass and ObjectCategory. BTDT :-(


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)


    Thursday, December 6, 2018 8:34 PM
  • No.  The class is user which filters out the class 'Group".  That is all you need.

    "objectCategory" is used for other things.

    Run this to see what I mean.

    Get-AdObject -Filter "objectClass -eq 'User'" -Properties objectcategory|select objectclass,objectcategory


    \_(ツ)_/


    Thursday, December 6, 2018 9:29 PM
    Moderator
  • If I had an AD to look at I would. I tore down my home office when I retired. That's why I don't answer most AD-related questions. :-)

    According to the LDF defining the "CN=Computer", it's a subclass of "user" with an objectCategory of "Computer".

    Maybe the filter is smarter than I give it credit for being, but if you use a LDAP query on just "objectClass=user" you used to pick up computer objects, too.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Thursday, December 6, 2018 10:27 PM
  • Actually, computer objects in AD have class user, in addition to computer, top, and organizationalPerson.

    Edit: Computers also have class person. I should have looked in MY lab before answering.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, December 6, 2018 10:40 PM
  • A computer object is really an account.  It is not a subclass of user but does inherit from the same source.

    This is what we get with "objectClass" of a computer object.

    PS C:\scripts> Get-AdComputer -Filter * | select objectclass
    
    objectclass
    -----------
    computer
    computer
    computer
    computer

    This is what we get with "objectCategory"

    PS C:\scripts> Get-AdComputer -Filter *  -Properties objectCategory| select objectCategory
    
    objectCategory
    --------------
    CN=Computer,CN=Schema,CN=Configuration,DC=KAHLNET,DC=local
    CN=Computer,CN=Schema,CN=Configuration,DC=KAHLNET,DC=local
    CN=Computer,CN=Schema,CN=Configuration,DC=KAHLNET,DC=local
    CN=Computer,CN=Schema,CN=Configuration,DC=KAHLNET,DC=local
    

    No "user" in sight.

    The category is a list of schema classes that the object was created from. 

    With "Members" we get "class" which we enforce as "User" so we can pass it to "GetAdUser" without errors.

    "objectClass" refers to the schema class that the object was created on.  Each object has only one unique "objectClass".

    OK?


    \_(ツ)_/

    Thursday, December 6, 2018 10:44 PM
    Moderator
  • Actually, computer objects in AD have class user, in addition to computer, top, and organizationalPerson.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Not in RSAT.  Only in the extended schema.  If we search or filter by class then you are correct.

    Get-AdObject -Filter {objectClass -eq 'User' -and objectClass -ne 'Computer'}

    But when directly testing 'User" filters.

    When doing this you will never get a computer object:

    Get-AdObject -Filter * |?{$_.objectClass -eq 'User'}

    Just a little about how AD attributes get unwound by AD and by external code.


    \_(ツ)_/

    Thursday, December 6, 2018 10:53 PM
    Moderator
  • I believe you are correct. I can't find a reference now, but I believe PowerShell deals with the most specific (lowest level ?) class of the object. ObjectClass is multi-valued, ObjectCategory is single valued.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 6, 2018 10:56 PM
  • I believe you are correct. I can't find a reference now, but I believe PowerShell deals with the most specific (lowest level ?) class of the object. ObjectClass is multi-valued, ObjectCategory is single valued.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    I believe it is that ADSI returns the "top" class. The schema always references "objectClass" as "top" and not the objects schema class. The "-filter" operation uses the AD query engine which looks at all of the included schema classes and returns true if any one matches.

    There are newer books on developing with AD for extensions and alterations to the AD service that go into more detail.  I have been thinking about going through one as there is much more detail about these behaviors and implementations.

    I am still waiting for the new documentation on the 2019 version of AD.  It may also have more detail.


    \_(ツ)_/

    Thursday, December 6, 2018 11:12 PM
    Moderator
  • I found something. The Wiki I wrote on Get-ADObject says the PowerShell ObjectClass property returns the most specific value of the objectClass attribute. I think I concluded that by testing. Also, the help for Get-ADOject has an example that uses the filter (ObjectClass -eq "user"), with no reference to a clause involving ObjectCategory.

    https://social.technet.microsoft.com/wiki/contents/articles/12103.active-directory-get-adobject-default-and-extended-properties.aspx

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617198(v=technet.10)


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 6, 2018 11:27 PM
  • Yes but:

    Get-AdObject -Filter {ObjectClass -eq "user"}|select objectclass

    Will return both users and computers.

    This is why MS decided to use Get-AdUser, Get-AdComputer, etc to break this tie.  I have always thought that

    Get-AdObject -Class User, Contact, ServiceAccount

    Would have been a better approach.  MS and I usually think alike but the guys and gals at AD and Exchange are in a much different world.


    \_(ツ)_/


    • Edited by jrvModerator Thursday, December 6, 2018 11:31 PM
    Thursday, December 6, 2018 11:31 PM
    Moderator
  • Thanks to JRV and Richard Mueller for the discussion.

    I spent many years dealing with the AD (our company was part of MS's early adopters program for AD and Exchange 2000), but that was before the ActiveDirectory module was available. ADSI wasn't so nice as to select the most specific of anything which is why I've always used both objectClass and objectCategory to avoid getting a mixed result when I wanted only one sort of object from the search.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, December 7, 2018 3:10 AM
  • Hi 

    I have changed the script as given below which work fine in starting but after few time get the exeed limit errors as well

    Import-Csv .\groups.csv | foreach {
        $group = $_.group

    Get-ADGroupMember $group -Recursive -server "dx.com" | Select name,samaccountname | %{Get-ADUser $_.samaccountname -server "dx.com" -Properties name,samaccountname,enabled,country | Select @{Name="Group";Expression={$group}},name,samaccountname,enabled,country}
    } | Export-Csv allusers.csv -NoTypeInformation


    • Edited by Mr. Raj Friday, December 7, 2018 2:55 PM
    Friday, December 7, 2018 2:19 PM
  • HI JRV

    I tried to use your script but this script not giving me any output..

    Friday, December 7, 2018 2:23 PM
  • HI JRV

    I tried to use your script but this script not giving me any output..

    Sorry.  I copied the wrong code:

    Import-Csv groups.csv |
        ForEach-Object {
            $group = $_.group
            Get-ADGroup $group -server contoso.COM |
            Get-AdGroupMember |
            Where-Object{ $_.objectClass -eq 'User' } |
            Get-ADUser -Properties name, samaccountname, distinguishedname, enabled, country |
            Select-Object name, samaccountname, distinguishedname, enabled, country, @{ l = "groupname"; e = { $group } }
        }

    This is tested exactly except for the server  name.


    \_(ツ)_/

    Friday, December 7, 2018 2:57 PM
    Moderator
  • Please only post properly formatted and indented code with the code posting tool provided.  Your code is unreadable in most browsers.


    \_(ツ)_/


    Friday, December 7, 2018 2:59 PM
    Moderator
  • HI JRV

    Script started well and get the output as well but after sometime got the below error:

    Get-AdGroupMember : The size limit for this request was exceeded
    At line:5 char:9
    +         Get-AdGroupMember |

    Friday, December 7, 2018 4:08 PM
  • HI JRV

    Script started well and get the output as well but after sometime got the below error:

    Get-AdGroupMember : The size limit for this request was exceeded
    At line:5 char:9
    +         Get-AdGroupMember |


    You have to post the exact code you are using.  If a group has more than 1000 members it may give issues.

    \_(ツ)_/

    Friday, December 7, 2018 4:17 PM
    Moderator
  • Import-Csv groups.csv |
        ForEach-Object {
            $group = $_.group
            Get-ADGroup $group -server DX.COM |
            Get-AdGroupMember |
            Where-Object{ $_.objectClass -eq 'User' } |
            Get-ADUser -Properties name, samaccountname, distinguishedname, enabled, country |
            Select-Object name, samaccountname, distinguishedname, enabled, country, @{ l = "groupname"; e = { $group } }
        }

    Friday, December 7, 2018 4:30 PM
  • No issue unless you have a group with  more than 1000 members which I doubt.  You may have other issues with RSAT.  Pick a different server to see if that helps.


    \_(ツ)_/

    Friday, December 7, 2018 4:46 PM
    Moderator
  • Yes we have more than 1000 group members.
    Friday, December 7, 2018 5:10 PM
  • My recollection is that Get-ADGroupMember (and Get-ADGroup) handle large groups (with more than 1000 members) fine. The PowerShell code behind the cmdlets uses the range retrieval methods necessary for large groups.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, December 7, 2018 6:18 PM
  • so you mean Richard... script is fine but issue is some where else ?

    Friday, December 7, 2018 6:21 PM
  • My recollection is that Get-ADGroupMember (and Get-ADGroup) handle large groups (with more than 1000 members) fine. The PowerShell code behind the cmdlets uses the range retrieval methods necessary for large groups.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Ahh yes.  I remember that now that you noted it.

    Perhaps using the server parameter would prevent referrals which can cause issues if there are network problems.

    Get-AdGroupMember -Server <same as get-adgroup>


    \_(ツ)_/

    Friday, December 7, 2018 6:23 PM
    Moderator
  • While running below commands, no errors showing....

    Import-Csv groups.csv |
        ForEach-Object {
        Get-ADGroupMember $_.group -Server "DX.com"
    
        }


    5 hours 31 minutes ago