Powershell or Other to find domain\name information multidomain RRS feed

  • Question

  • hi 

    I am trying to retrieve the login name (in the form Domain \ firtsname.lastname) from all users, members of an AD group, from several different domains

    This script is probably not optimized and sends back info from the domain only for those who are in the domain where the script is played.

    $domains = (Get-ADForest).domains
    foreach ($domain in $domains)
        $GroupAD = Get-ADGroup -Filter { Name -eq $groupName } -Server $domain
    	$Members = $GroupAD | Get-ADGroupMember -Recursive -Server $domain | Get-ADUser -Property * | Select-Object  @{Name="Domain";Expression={Get-ADDomain ($_.DistinguishedName.Substring($_.DistinguishedName.IndexOf("DC"))) | Select-Object -ExpandProperty NetBiosName}},@{Name="Group";Expression={$GroupAD.Name}}, Name,DisplayName,UserPrincipalName,SamAccountName
    	if ($Members.Count -gt 0)
    		$hMembers +=  $Members  	
    $hMembers | Export-csv -path $pathfileFolder -NoTypeInformation

    Thanks for your helps.


    Thursday, September 5, 2019 9:27 AM

All replies

  • Get-ADUser -Property * -Server $domain
    Try using above, Get-ADUser looks for the user in the domain from which it is executed.
    Thursday, September 5, 2019 9:44 AM
  • I am looking first in what domain is the group AD

     $domain will be the domain of the group AD not that of the user


    Thursday, September 5, 2019 10:47 AM
  • @DumbleD0re is correct. The command will only search the domain controller specified in the '-Server' parameter. You could create a separate function to step through the domains and search for each users in all of the domains. Something like this:

    function SearchAllDomains($SamAccountName)
        $users = @();
        foreach($domain in $domains)
                $users += Get-ADUser -Identity $SamAccountName -Server $domain -Property * -ErrorAction SilentlyContinue
        return $users

    Monday, September 9, 2019 3:33 AM
  • thanks but I don t see any property that gives me the information Domain\name.firstname


    Monday, September 9, 2019 10:38 AM
  • You could parse the CanonicalName property, and concatenate it with the GivenName, and Surname Properties into a [string], like this:

    $user = get-aduser -Identity $SamAccountName -Properties *
    $string = "$($user.CanonicalName.Split("/")[0].Split(".")[0])\$($user.GivenName).$($user.Surname)"

    Or, if you wanted the full domain name:

    $user = get-aduser -Identity $SamAccountName -Properties *
    $string = "$($user.CanonicalName.Split("/")[0])\$($user.GivenName).$($user.Surname)"

    Monday, September 9, 2019 12:38 PM
  • Add the port number of your Global Catalog Server to the server name in the Get-ADUser cmdlet, and use the name of a Global Catalog server:

    Get-ADUser -Server <GC-Server:3268> . . .

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Proposed as answer by jrv Monday, September 9, 2019 5:19 PM
    Monday, September 9, 2019 2:33 PM
  • I test with <GC-Server:3268> , the same ,

    the domain is empty for those who are not domain or the script is played

     $pathfileFolder = "C:\BI_Files\Export\AD_Groups_Export.csv"  
      $dcglobal = "sample.groupe.net:3268"
      $groupName = 'GRP-DEV-TEST'

        $GroupAD = Get-ADGroup -Filter { Name -eq $groupName } -Server $domain

     $Members = $GroupAD | Get-ADGroupMember -Recursive -Server $domain | Get-ADUser -Property * -Server $dcglobal | Select-Object  @{Name="Domain";Expression={Get-ADDomain ($_.DistinguishedName.Substring($_.DistinguishedName.IndexOf("DC"))) | Select-Object -ExpandProperty NetBiosName}},@{Name="Group";Expression={$GroupAD.Name}}, Name,DisplayName,UserPrincipalName,SamAccountName

     if ($Members.Count -gt 0)
      $hMembers +=  $Members   

    $hMembers | Export-csv -path $pathfileFolder -NoTypeInformation


    Thursday, September 19, 2019 2:51 PM
  • Have you tried getting domain info from the CanonicalName attribute per my earlier reply?

    There are other attributes that contain the domain as well, but CanonicalName is certain to be not null. 

    Friday, September 20, 2019 1:54 PM
  •  i test wit canonicalName , but  what is the syntax in the following context ?

    ... $Members = $GroupAD | Get-ADGroupMember -Recursive  | Get-ADUser -Property *  | Select Name,DisplayName,UserPrincipalName,SamAccountName,  @{Name="DomainName";Expression=($_.CanonicalName.Split("/")[0].Split(".")[0]) + '\' + ($_.GivenName).$($_.Surname)}

    that sends me back the canonicalname.


    Monday, September 23, 2019 8:21 AM
  • I'm not sure I understand this:

    "the domain is empty for those who are not domain or the script is played"

    If the group whose members you're retrieving is a Domain Global group, then the membership can only contain members of the same AD domain.

    The membership of Domain Global groups is not propagated to the Global Catalog, so taking my advice to query the GC won't work. But omitting the -Server parameter from the Get-ADGroup and Get-ADGroupMember should work. That way the GC should be queried and the query then redirected to an appropriate DC.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Proposed as answer by jrv Wednesday, September 25, 2019 7:30 PM
    Wednesday, September 25, 2019 7:02 PM
  • The canonical name will be a string, separated by '/'. The script I posted earlier takes that string, and splits it apart so that each value between slashes can be accessed independently. The first of these slash-separated values is the domain. The first line below get the first value from the canonical name string.

    The second and third lines get the GivenName and SurName properties from the Get-ADUser return value object.

    My earlier post concatenated all of these into a string: "contoso\firstName.lastName"




    Alternatively, this variation will give you something like: "contoso.com"

    Thursday, September 26, 2019 12:39 PM
  • Hi,

    Sorry, i m not a expert powershell but i try directly your solution without foreach on users

    I am looking to export directly but  maybe is not possible in the following context ?
    ... $Members = $GroupAD | Get-ADGroupMember -Recursive  | Get-ADUser -Property *  | Select Name,DisplayName,UserPrincipalName,SamAccountName,  @{Name="DomainName";Expression=($_.CanonicalName.Split("/")[0].Split(".")[0]) + '\' + ($_.GivenName).$($_.Surname)}

    If i must pass with a foreach, how do I update after my collection before export ?



    Friday, September 27, 2019 12:49 PM