How do I get the attributes of foreign security principals of an AD Group? RRS feed

  • Question

  • I have N number of domains and I have AD groups created all over them. I am allowing user to select the domain and I am filtering the list of groups. Now, my next step is that I have the members of those groups which can be a user or group or any kind of AD Object from any domain(foreign security principals) whose SID the system stores in the members attribute of the main AD Group/Object. I am able to generate the members list based on the scenario of a single domain however in case of a group having a member from other domain I am not able to find an efficient approach about how to provide link to the code that could fetch attributes using SID.

    I am using $groupGUID as a parameter to pass and check for the members. This is my script in PowerShell class:

    Import-Module activedirectory -ErrorAction SilentlyContinue
    class MemberList
        [string] $DisplayName
        [string] $MemberGUID
        [string] $GroupGUID
        [string] $Enabled
            $this.MemberGUID = "Unknown"
            $this.GroupGUID = "Unknown"
            $this.Enabled = "Unknown"
        MemberList([Object] $ADObject)
            $this.MemberGUID = $ADObject.objectGUID
            $this.Enabled=(($ADObject.useraccountcontrol -band 2) -eq 0)

    And I am invoking the object of this class as follows:

    ForEach($ADObject in @(Get-ADGroupMember -Identity $GroupGUID -ErrorAction stop -Server ""))
                $MemberList = New-Object MemberList -ArgumentList (Get-ADObject -Identity $ADObject -Properties *)
                $MemberList.GroupGUID = $GroupGUID
                $MemberLists += $MemberList
    $MemberLists | Select-Object -Property * | Sort-Object -Property DisplayName

    myDomain will be the selected domain by the user where the main group lies now where should I put the script to fetch the members that belongs to other domains? Inside the for each loop? Or When I am creating a new-object in side the loop how to implement the script in such a way that it will track down the SID and give me the attributes of the members of various domains? All I found out was that member attribute stores the information like this:

    member          : {CN=S-1-5-XX-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXX,CN=ForeignSecurityPrincipals,DC=myDomain,DC=net,

    I found out that using the code below I can locate the member but can't figure out the connecting part into the loop.

    ([System.Security.Principal.SecurityIdentifier] "S-1-5-XX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXXX").Translate([System.Security.Principal.NTAccount]).value

    Any kind of suggestion would be appreciated.

    • Edited by Nikul Vyas Wednesday, September 11, 2019 11:42 PM
    Wednesday, September 11, 2019 11:41 PM

All replies