Get the attributes of foreign security principals of an AD Group. RRS feed

  • Question

  • I have N number of domains and I have AD groups created all over them. I am allowing user to select the domain and I am filtering the list of groups. Now, my next step is that I have the members of those groups which can be a user or group or any kind of AD Object from any domain(foreign security principals) whose SID the system stores in the members attribute of the main AD Group/Object. I am able to generate the members list based on the scenario of a single domain however in case of a group having a member from other domain I am not able to find an efficient approach about how to provide link to the code that could fetch attributes using SID.

    I am using $groupGUID as a parameter to pass and check for the members. This is my script in PowerShell class:

    Import-Module activedirectory -ErrorAction SilentlyContinue
    class MemberList
        [string] $DisplayName
        [string] $MemberGUID
        [string] $GroupGUID
        [string] $Enabled
            $this.MemberGUID = "Unknown"
            $this.GroupGUID = "Unknown"
            $this.Enabled = "Unknown"
        MemberList([Object] $ADObject)
            $this.MemberGUID = $ADObject.objectGUID
            $this.Enabled=(($ADObject.useraccountcontrol -band 2) -eq 0)

    And I am invoking the object of this class as follows:

    ForEach($ADObject in @(Get-ADGroupMember -Identity $GroupGUID -ErrorAction stop -Server "myDomain.net"))
                $MemberList = New-Object MemberList -ArgumentList (Get-ADObject -Identity $ADObject -Properties *)
                $MemberList.GroupGUID = $GroupGUID
                $MemberLists += $MemberList
    $MemberLists | Select-Object -Property * | Sort-Object -Property DisplayName

    myDomain will be the selected domain by the user where the main group lies now where should I put the script to fetch the members that belongs to other domains? Inside the for each loop? Or When I am creating a new-object in side the loop how to implement the script in such a way that it will track down the SID and give me the attributes of the members of various domains? All I found out was that member attribute stores the information like this:

    member          : {CN=S-1-5-XX-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXX,CN=ForeignSecurityPrincipals,DC=myDomain,DC=net,

    I found out that using the code below I can locate the member but can't figure out the connecting part into the loop.

    ([System.Security.Principal.SecurityIdentifier] "S-1-5-XX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXXX").Translate([System.Security.Principal.NTAccount]).value

    Any kind of suggestion would be appreciated.

    • Edited by Nikul Vyas Tuesday, September 10, 2019 8:59 PM
    Tuesday, September 10, 2019 8:57 PM

All replies

  • The members are stored as distinguished names and they will be found assuming the users has read permission on the remote domains.

    For what you are asking using the GC will be easier and faster.

    class MemberList{
        [string]$DisplayName = 'Unknown'
        [string]$MemberGUID = 'Unknown'
        [string]$GroupGUID = 'Unknown'
        [string]$Enabled = 'Unknown'
        MemberList([Object]$ADObject) {
            $this.DisplayName = $ADObject.Name
            $this.MemberGUID = $ADObject.objectGUID
            $this.Enabled = ($ADObject.useraccountcontrol -band 2) -eq 0
    $GroupGUID = Get-ADGroup 'Domain Users' | Select-Object -ExpandProperty objectGUID
    Get-ADGroupMember -Identity $GroupGUID -Server myDomain.net|
            $obj = Get-ADObject $_ -Properties UserAccountControl -Server myDomain.net:GC
            $mlist = [memberlist]::New($obj)
            $mlist.GroupGUID = $GroupGUID
        } |
        Sort-Object -Property DisplayName

    You really don't need or want a class for this.  Just use a custom object to retrive this trivial information.

    Get-ADGroupMember -Identity $GroupGUID -Server myDomain.net:GC |
            $obj = Get-ADObject $_ -Properties UserAccountControl -Server myDomain.net:GC 
                DisplayName = $obj.Name
                GroupGUID = $GroupGUID
                MemberGUID = $obj.objectGUID
                Enabled = ($obj.useraccountcontrol -band 2) -eq 0
        } |
        Sort-Object -Property DisplayName

    This is easier and less prone to errors.


    Tuesday, September 10, 2019 10:30 PM
  • Actually, there's a possibility of a group being a member too so to distinguish the attributes I created the class. And in that case for enabled attribute I can show as null. However, GC seems to be giving an error XXX --> Group GUID.

    + Get-ADGroupMember -Identity $GroupGUID -Server 'myDomain.net'|
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:ADGroup) [Get-ADGroupMember], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    • Edited by Nikul Vyas Tuesday, September 10, 2019 11:07 PM
    Tuesday, September 10, 2019 11:06 PM
  • There is no need to use  class.  All of that can be done as I posted.   You also do not really want to use GUIDs to get things when the DN is available.  A DN can find its domain.  A GUID can't.


    Tuesday, September 10, 2019 11:09 PM
  • So, you mean to say this will fetch me the group member attributes from other domains?

    $DN = Get-ADObject -Identity $GroupGUID -Server 'myDomain.net' -Properties DistinguishedName | Select -ExpandProperty DistinguishedName
    Get-ADGroupMember -Identity $DN -Server 'myDomain.net' |
            $obj = Get-ADObject $_ -Properties UserAccountControl -Server 'myDomain.net':GC 
                DisplayName = $obj.Name
                GroupGUID = $GroupGUID
                MemberGUID = $obj.objectGUID
                Enabled = ($obj.useraccountcontrol -band 2) -eq 0
    } | Sort-Object -Property DisplayName
    It is giving the same kind of error as stated above.

    Tuesday, September 10, 2019 11:38 PM
  • The distinguished name has the domain and forest as part of its string. THat is how things are found in AD. Of course for all accesses of any kind you must have a correctly configured domain and forest and you must have read access to the objects in all domains that you want to access.

    When accessi ng across domains do not use the "Server" parameter.  Let AD find the server from the DN.


    Tuesday, September 10, 2019 11:46 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,


    Just do it.

    Friday, October 4, 2019 8:20 AM