Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 22, 2016 6:46 PM
I am working for a company with 10 forests. I am writing a script to check if a Universal Group from Forest A is a member in any Domain Local groups in Forests 2-10 (hub and spoke two way trusts between Forest A and 2-10).
I have the script pretty much complete, but the problem I have is when getting members from groups that have a Foreign Security Principal.
I have read and am trying figure if this even possible. I am doing a Try/Catch to test when getting $members.
$members = (get-adgroupmember GroupA -server DC1GlobalCatalolgLForest2.com).SamAccountName
Chris
All replies (2)
Saturday, July 23, 2016 8:35 AM âś…Answered
Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"
Tuesday, June 26, 2018 1:18 PM
Hi,
For Foreign security principals membership I'm using the member attribute of the group:
$members = Get-ADGroup $group -Properties | select -ExpandProperty member (this will give you an array of DNs where user members and ForeignSecurityPrincipals are listed in the following format: CN=SID,CN=ForeignSecurityPrincipal,DC=Contoso,DC=com)
$foreign = $members | where {$_ -like "*ForeignSecurityPrincipal*"} (this is the list of ForeignSecurityPrincipals)
At this point, I'm interested in having just the sid in a variable as you can use it in the -identity parameter with cmdlets like Get-aduser, etc. So, I will put it in a variable called $identity:
$foreign | % {$object = $_;
$identity = Get-adobject -Identity $object | select -ExpandProperty name}
Using that logic, you can try the following script:
______________________________________________
$group = ""
$TrustedDomains = Get-ADTrust -Filter * | select name
$members = Get-ADGroup "$group" -Properties member | select -ExpandProperty member
$foreign = $members | where {$_ -like "*foreignsecurityprincipal*"}
$allgroupmembers = @()
$externalUsers = @()
$internalUsers = @()
$foreign | % {$object = $_;
$identity = Get-adobject -Identity $object | select -ExpandProperty name
$TrustedDomains | % { $server = $_.name;
try {$externalUsers += get-aduser -Identity $identity -Server $server -ErrorAction Stop | select -ExpandProperty distinguishedname}
catch {Out-null}
}
}
$internalUsers += $members | where {$_ -notlike "*foreignsecurityprincipals*"}
$allgroupmembers += $internalUsers, $externalUsers
return $allgroupmembers
This will basically perform queries in all trusted domains for each SID added in the $identity variable.