none
Can't enumerate group membership of groups with FSP members after running netdom /EnableTGTDelegation:No RRS feed

  • Question

  • We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.

    netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No

    PowerShell command that fails:

    Get-ADGroupMember "account operators" -Server otherdomain.local

    dsget variant of it that works:

    dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members

    Error:

    Get-ADGroupMember : The server was unable to process the request due to an internal error.  For more information about
    the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
    <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
    turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
    At line:1 char:1
    + Get-ADGroupMember "account operators" -Server otherdomain.local
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember


    Full error:

    Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request
    due to an internal error.  For more information about the error, either turn on
    IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
    <serviceDebug> configuration behavior) on the server in order to send the exception
    information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK
    documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The
    server was unable to process the request due to an internal error.  For more information about
    the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute
    or from the <serviceDebug> configuration behavior) on the server in order to send the
    exception information back to the client, or turn on tracing as per the Microsoft .NET
    Framework SDK documentation and inspect the server trace logs.
    
    Server stack trace:
       at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply,
    MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
       at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation,
    ProxyRpc& rpc)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway,
    ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
    methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    
    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage
    retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup
    Member(GetADGroupMemberRequest request)
       at
    Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
    request)
       --- End of inner exception stack trace ---
       at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException
    faultException)
       at
    Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
    request)
       at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma
    nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest
    request)
       at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String
    partitionDN, String groupDN, Boolean recursive)
       at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR
    outine()
       at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
       at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()



    • Edited by Nick LaFleur Monday, April 22, 2019 12:25 PM Added details.
    Monday, April 22, 2019 12:14 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    To better understand our question, please confirm the following information:

    1. Is our trust a two-way or a one-way forest trust or any other type trust?

    2. According to "Can't enumerate group membership of groups with FSP members after running netdom /EnableTGTDelegation:No", do we mean FSP members are the original default members or the new members we created?

    3. Do we run the following command in the DC of ourdomain.local?
    netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No


    Can we get the group membership before running the above command?


    According to our description, although we can not get group membership running "Get-ADGroupMember "account operators" -Server otherdomain.local", we can get group membership through running "
    dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members".




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 23, 2019 4:32 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 25, 2019 6:45 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 29, 2019 8:17 AM
    Moderator
  • Facing the exact same issue since 9/7.  Now it's not possible anymore to execute Get-ADGroupMember to a group including trust members.

    I'm trying to test if EnableDelagationTGT=Yes is working (just to test this is really the issue). But till now it doesn't look likes this sovles the problem. 

    Trying to execute: 

    netdom.exe trust ***** /domain:**** /EnableTGTDelegation:Yes
    
    Enabling TGT delegation.
    
    Warning: enabling Kerberos full TGT delegation on outbound trusts is not recommended. See https://aka.ms/netdomtgtdelegation for more information.
    
    The command completed successfully.

    But still the EnableTGTDelagation is set to false (get-adtrust).  Also tried to execute the netdom command with domains changed in the parameters, but still the parameter is set on False. 



    Wednesday, July 17, 2019 6:26 PM
  • Microsoft reported that this was a bug in the Get-ADGroupMember commandlet that's existed for quite a while. They couldn't provide an eta on fixing it.

    The person I worked with provided this "workaround" that works okay. It bypasses the issues the Get-ADGroupMember has when it encounters a group that has a ForeignSecurityPrincipal object as a member.

    Function Get-ADGroupMemberTest {
        [CmdletBinding()]
        param(
            [Parameter(
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
            )]
            [string[]]
            $Identity
        )
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                if (-not $Group) {
                    continue
                }
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member
                }
            }
        }
    }
    
    Get-ADGroupMemberTest 'account operators'

    Saturday, August 17, 2019 5:32 PM