locked
Question regarding cross child domain enumeration RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I was hoping you are able to assist me.  I have been asked for a way for a domain user in child domain1 to be able to enumerate users in child domain2.  Is this possible ?

    Regards..Jeff


    mstoll

    Monday, May 1, 2017 4:50 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    In what way?  If with Exchange, how, and what version, service pack, update rollup and/or cumulative update are you running?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, May 1, 2017 10:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi ,

    Please run the command:

    Set-AdServerSettings -ViewEntireForest $true -PreferredGlobalCatalog gc1.contoso.com

    Then you can run the following command and check the results:

    Get-ADGroupMember group1 | Where {$_.distinguishedName -match "DC=contoso1,DC=com" -and $_.objectClass -eq "user"}

    Please note change the highlight part accordingly.

    Hope it helps.

    Regards,

    Jason Chao

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 9:41 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Ed,

    Thanks for responding. The way I'm meaning is just for a script to run a query to get the list of members in another child domain of the same forest.  Currently they are trying to use an account in child domain1 and it successfully enumerates membership in the same child domain1.  However when that same domain1 account is used to enumerate the membership list in child domain2 of the same forest, it fails with system error 8519  They are looking for a way to be able to enumerate the groups without error.  They are open to suggestions if it's easier to use more than one account in any of the child domains.  I hope that makes more sense.

    Cheers,

    Jeff


    mstoll

    Tuesday, May 2, 2017 2:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You mean all mailboxes in a particular child domain?

    You might try this:

    Set-AdServerSettings -RecipientViewRoot "domain.com"
    Get-Mailbox -ResultSize Unlimited

    Or this:

    Set-ADServerSettings -ViewEntireForest $True
Get-Mailbox -ResultSize Unlimited | Where {$_.DistinguishedName -like "*,DC=domain,DC=com"} 

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, May 3, 2017 1:39 AM