Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, October 25, 2013 7:51 AM
Hi
We have two domains with forest trust between them, and we have problems with running get-adgroupmember against one domain.
From domain A I can run get-adgrupmember against the other domain, for example get-adgroupmember GroupB -server DCB
From domain B if I run get-adgroupmember against the other domain it fails.
get-adgroupmember GroupA -server DCA I get the following error:
get-adgroupmember : The server was unable to process the request due to an internal error. For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebu
g> configuration behavior) on the server in order to send the exception information back to the client, or turn on trac
ing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
At line:1 char:1
- get-adgroupmember "cn=GroupA,ou=groups,ou=central,dc=DomainA,dc=no" -serve ...
-
+ CategoryInfo : NotSpecified: (cn=GroupA,...=DomainA,dc=no:ADGroup) [Get-ADGroupMember], ADExcepti
on
+ FullyQualifiedErrorId : The server was unable to process the request due to an internal error. For more informa
tion about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from
the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the cl
ient, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace lo
gs.,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
However, if I run the same command with the -credential parameter it works fine.
If I use the ADSI type accelerator it also works fine.
([ADSI]'LDAP://DCA.DomainA.no/cn=groupA,ou=groups,ou=central,dc=DomainA,dc=no').member
Does anyone have an idea how to solve this?
Marius
All replies (6)
Monday, October 28, 2013 1:47 AM
It sounds like an authentication issue, which is resolved when you specify credentials with the -credential parameter (assuming you log in with target domain credentials when the box pops up). The trust sounds like it is set up so you can see both domains from the device where you are running the script, and it only works when you are running it against the domain you are already logged into. You can either execute the script as a scheduled task with different credentials (of the remote domain) or add your logged in account to a universal group on the target domain which will allow permissions to read domain attributes.
Monday, October 28, 2013 7:04 AM
Hi Marius,
Thanks for your posting.
This issue can be caused by permission, If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.
Firstly, I want to confirm if these two trusted domains in one forest.
If so, you can check whether the two administrator permissions have different manage levels when run the cmdlet get-adgroupmember, and check whether one of the two administrator permissions is Enterprise Admins whose Members have full control of all domains in the forest.
I hope this helps.
Monday, October 28, 2013 12:12 PM
Hi
The domains is not in the same forest, but they full trust between them.
I run the commands as a regular user with no admin rights.
From domain B I can run get-adgroup groupA -server DCA without any error. It's just get-adgroupmember that fails.
I can also get the members of groupA if I use the ADSI type accelerator
This works:
([ADSI]'LDAP://DCA.DomainA.no/cn=groupA,ou=groups,ou=central,dc=DomainA,dc=no').member
but this doesn't:
get-adgroupmember GroupA -server DCA
Marius
Marius
Tuesday, October 29, 2013 6:42 AM
Hi Marius,
This issue can be caused by foreign security principal (FSP). FSPs represent objects foreign to the forest that require representation within the database.
For detailed information about this issue, please refer to this forum:
Script to add users of a trusted domain:
I hope this helps.
Thursday, October 31, 2013 8:20 AM
Hi If it was a problem with foreign security principal, the ADSI type accelerator should also fail. But it doesn't. This command works:([ADSI]'LDAP://DCA.DomainA.no/cn=groupA,ou=groups,ou=central,dc=DomainA,dc=no').member But if I use get-adgroupmember instead it fails. get-adgroupmember GroupA -server DCA Is it some way to turn on error reporting on the command? The debug switch does not offer any more information.
Marius
Sunday, November 3, 2013 10:26 AM
Hi Marius,
When we want to get members of a group with FSP in domain, it will encounter failure with the cmdlet Get-ADgroupmember, but work well with LDAP.
Using [ADSI] is faster and will work with anygroup and essentially ignores FSPs at this time. For detailed information about this, please refer to this forum:
Advice with get-adgroupmember:
So I still want to solve this issue with FSP, If the groupA in domain A contains Foreign Security Principal, please try to remove the foreign security objects in the group.
For detailed information, please refer to this forum which has the same error with you:
get-adgroupmember and foreign security principal:
I hope this helps.