none
Get-ADGroupMember and Foreign Security Principals RRS feed

  • Question

  • We have AD groups for SCCM software deployment, and these groups contain machine names from 2 different domains. I'll call them Domain A and Domain B. I always login to Domain A via desktop or laptop, and via the ADUC I can add machines from either domain to a group.

    I've created a powershell script that queries the members of a group and it returns all the machines from either domain (for further processing which I won't go into)

    I created this script on my office desktop, and it works fine. Pulling machine names from both domains A and B.

    However this evening I've run the script on my laptop... and it will not process names on the Domain B - I only see machine names from Domain A if there are none from Domain B (i.e. it errors with

    Get-ADGroupMember : The operation completed successfully

    At D:\temp\scriptname.ps1:29 char:16

    +     $members = Get-ADGroupMember group_name | select -ExpandProperty Name

    +                ~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (group_name:ADG

       roup) [Get-ADGroupMember], ADException

        + FullyQualifiedErrorId : The operation completed successfully,Microsoft.Active

       Directory.Management.Commands.GetADGroupMember

    The problem lies with Get-ADGroupMember group_name

    I can see the foreign entries if I use

    (Get-ADGroup group_name -properties members).members

    returning the following which tells me nothing.

    CN=S-1-5-21-3004073045-969749285-2408275485-55110

    How can my desktop be seeing the foreign names correctly yet my laptop cannot? I need to distribute this script (it has dialog for users) to a few machines in the organisation so I will need to replicate some settings or find an alternative means to gather foreign machine names.

    Thanks in advance.

    • Moved by Bill_Stewart Friday, January 26, 2018 3:46 PM Off-topic
    Friday, December 22, 2017 8:40 PM

All replies

  • Something that I've discovered since my earlier post, is that my desktop runs the script with AuthenticationType = Negotiate and my laptop runs it with Kerberos.

    I used the following to determine this:

     [Security.Principal.WindowsIdentity]::GetCurrent()

    Could this be the answer?

    However, I'm not powershell experienced enough to have ever adopted authentication in any of my scripts!

    Saturday, December 23, 2017 12:06 AM
  • Is you laptop connected to the domain via a VPN?


    \_(ツ)_/

    Saturday, December 23, 2017 12:15 AM
  • Good point... however me knows zip about VPNs :-)

    My laptop uses Junos Pulse over WIFI to connect to the company network, whether I'm in the office, or from home. No mention of VPN within its help. Would I be right to assume it will have VPN built in?

    If it is VPN related, how would I overcome retrieving Foreign AD members?

    Saturday, December 23, 2017 10:41 AM
  • You have to ask your admins how you are connected.  On a VPN you are no authenticating in a way that allows you to contact the remote DC that has the accounts that are only showing SIDs.  This is the normal behavior.  It cannot be altered with a script.  The Admins can alter the VPN but authentication will be by proxy and will not allow forwarded credentials.  Only Kerberos allows using a token that can be passed forward.


    \_(ツ)_/

    Saturday, December 23, 2017 10:49 AM
  • I think I've fixed this via my laptop link, however I'd need to replicate something to take into consideration a machine in Domain B running this to see machines in Domain A

    I can query from my laptop the machines in DomainB, it was only Get-ADGroupMember that was causing issues. Get-ADGroup returns SIDS of DomainB machines.

    Thus the returned SIDs can be used with Get-ADCompyter to return the machine name

    Get-ADComputer "S-1-5-21-3004073045-969749285-2408275485-55110" -Server $DomainB

    returns a machinename

    Feel free to comment of the code below, if it can be rationalised... I'm eager to learn more

    (Get-ADGroup-Identity$group_name-PropertiesMembers-Server$DomainA|Select-Object-ExpandPropertyMembers|Get-ADObject-Server$DomainA|Where-Object{ $_.ObjectClass -ne"ForeignSecurityPrincipal"} ).Name

    (Get-ADGroup-Identity$group_name-PropertiesMembers-Server$DomainA|Select-Object-ExpandPropertyMembers|Get-ADObject-Server$DomainA|Where-Object{ $_.ObjectClass -eq"ForeignSecurityPrincipal"} ).Name |Get-ADComputer-Server$DomainB|Select-ExpandPropertyName

    This provides me with

    DomainAMachineName1
    DomainAMachineName2
    DomainAMachineName3
    DomainBMachineName1
    DomainBMachineName2
    DomainBMachineName3




    Saturday, December 23, 2017 12:01 PM
  • Yes. You can authenticate against individual domains bu you cannot passes non-Kerboros credentials between two domains.  Get-AdComputer connects directly.  Get-AdGroupMember "chases" the SID to the remote domain and returns the names.

    The following should also work.

    get-adgroup testgrp2 -Properties members | select -expand members | Get-AdObject


    \_(ツ)_/

    Saturday, December 23, 2017 12:07 PM