locked
how to get membership of external domains RRS feed

  • Question

  • Hello experts!

    I'm getting crazy trying to solve this, I hope you can give me a hand.

    I need to know how I could get the groups of a specific account using powershell, for example:

    The AD account was builted in the Domain A and there is a Domain Local group in the Domain B. I know that if I make a search group by group, I will get the account in the groups of the Domain B, but I need to know if there is a way to make a search using the AD account of the Domain A to get the membership of the Domain B?

    Thank you in advance!

    Regards.

    Wednesday, January 23, 2019 7:32 PM

All replies

  • Hi,

    You can try something like this:

    Get-ADUser Username -Properties memberof -Server DCServerDomainB:3268 | Select-Object DisplayName -ExpandProperty memberof

    *** I DID NOT TEST!

    Wednesday, January 23, 2019 7:38 PM
  • Does not works :(

    Using the -Server option powershell says that they can't find the user account in the specified domain, and that is correct because the account is not there.

    Wednesday, January 23, 2019 7:50 PM
  • Get-AdPrincipalGroupMemberShip <userid>

    To use any method you must run from an account that has permission in both domains.


    \_(ツ)_/

    Wednesday, January 23, 2019 7:59 PM
  • Thank you for your time, I tried to use this but the result is the same, the account used for this has the permissions across the domains.
    Wednesday, January 23, 2019 8:21 PM
  • There is another way. 

    Store accounts, groups and their SID from domainA and DomainB

    Create some table containing name,oldSID,newSID

    Use Set-ACL to replace the SIDs on DomainB folders.   

    We use this technique for migrating file servers (in-place migration, cannot use migration tools).

    Wednesday, January 23, 2019 8:45 PM
  • Using powershell you can use PS drive:

    New-PSDrive `
        –Name ForestName `
        –PSProvider ActiveDirectory `
        –Server "DC.Domain.com" `
        –Credential (Get-Credential "domain\username") `
        –Root "//RootDSE/" `
        -Scope Global
    CD Forestname:

    you can use the command "get-addomain" to validate the connection.

    Then you can run the get-adgroupmembership command 

    Wednesday, January 23, 2019 8:46 PM
  • Thank you for your time, I tried to use this but the result is the same, the account used for this has the permissions across the domains.

    You failed to post what you used and the exact error message,


    \_(ツ)_/

    Wednesday, January 23, 2019 9:00 PM
  • Just wrote this, I am in multi-Domain Env. It works.

    #Decalre Array
    $MyArray=@()
    
    #Get group Data - Specify Server using full DNS name
    $MyGroups=get-aduser  username -server ServerName.Domain.com -Properties Memberof | Select -ExpandProperty Memberof 
    
    #Split Data on Commas
    $myArray=$Mygroups.Split(",")
    
    #Remove All Misc Data 
    $MyArray=$myArray -match "cn=*"
    
    #Repalce Misc Text 
    $MyFinal=$MyArray.replace("CN=","")
    
    #Final Output
    $MyFinal

    • Proposed as answer by ComputerScott Thursday, January 24, 2019 8:50 PM
    Thursday, January 24, 2019 8:50 PM