locked
query group members from a large group with some members from a child domain. RRS feed

  • Question

  • I was able to fix 5000 limit for get-adgroupmembers with following commands  

    $grp = get-adgroup groupname -properties members 
    $grp.members | get-aduser -Properties * | Select DisplayName, Department, Title | Export-Csv c:\temp\export.csv

    but run into error with referral and activedirectoryserver:8325 for some members.  I found those users are from a child domain.  I read some article saying get-aduser only run for local domain.  If so, how to fix it?

    Thanks in advance.

    Wednesday, March 6, 2019 1:37 AM

Answers

  • A better method is to use a GC.  To use a DC you must specify the GC port.

    $dc = Get-AdDomainController   -Discover -Service GlobalCatalog
    $gc = $dc.Name + ':3268'

    Get-AdUser … -Server $gc

    This will cause the GC to be used.


    \_(ツ)_/



    • Edited by jrv Wednesday, March 6, 2019 10:39 AM
    • Marked as answer by ChrisD0919 Thursday, March 14, 2019 10:10 PM
    Wednesday, March 6, 2019 10:37 AM

All replies

  • You need to have a correct trust and you account must be able to authenticate on the remote domain.

    You can also set the server to the nearest Global Catalog server.


    \_(ツ)_/


    • Edited by jrv Wednesday, March 6, 2019 2:14 AM
    Wednesday, March 6, 2019 2:12 AM
  • My account has domain admin permission to the child domain and the both parent/child domains are bi-direction trusted.  Using my account I can access both domains through dsa.msc directly.  But here is the wired thing.  When tried to view group membership through dsa.msc from the parent domain I did get a warning saying some user accounts can't be displayed properly.  I think I need to double check the trust.  All our domain controllers are GC too.  I was using a local DC/GC.

    Thanks.

    Wednesday, March 6, 2019 5:06 AM
  • A better method is to use a GC.  To use a DC you must specify the GC port.

    $dc = Get-AdDomainController   -Discover -Service GlobalCatalog
    $gc = $dc.Name + ':3268'

    Get-AdUser … -Server $gc

    This will cause the GC to be used.


    \_(ツ)_/



    • Edited by jrv Wednesday, March 6, 2019 10:39 AM
    • Marked as answer by ChrisD0919 Thursday, March 14, 2019 10:10 PM
    Wednesday, March 6, 2019 10:37 AM
  • I tried your codes and it worked.  Thanks!.  I have another question.  I output the value for $dc and $gc using Write-Output.  It shows my local DC which I'm sure also used my my command too.  Why mine didn't work?  I guess $gc = $dc.Name + ':3268' made the difference?  If not specified the command just ran against the domain controller server as a DC not GC? 

    Thanks.


    • Edited by ChrisD0919 Thursday, March 14, 2019 10:29 PM
    Thursday, March 14, 2019 10:15 PM
  • The code returns the DC name as the "name" property.


    \_(ツ)_/

    Thursday, March 14, 2019 10:19 PM