Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I'm trying to build a script identifying all members and nested members of the Administrators group. My company currently has 20+ domains, majority of which are not integrated. Instead, we simply build a trust between domains following acquisition. The problem is the Administrators group for these domains often has members from one of the external but trusted domains. If i run Get-ADGroupMember I have no problem, but if I run Get-ADGroupMember -Recursive it errors our. I'm assuming the issue is PS trying looking for the nested membeship of a group located on one of our trusted domains but looking only on the current domain of the Administrators group.
PowerShell Script (replaced server with example domain):
$ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Resulting Error Message (replaced server with example domain):
PS H:\> $ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Get-ADGroupMember : There is no such object on the server
At line:2 char:1
+ Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=Administrato...e,DC=domain,DC=com:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundExc
eption
+ FullyQualifiedErrorId : There is no such object on the server,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
From the docs for Get-ADGroupMember:
Notes
This cmdlet does not work when a group has members located in a
different forest, and the forest does not have Active Directory Web
Service running.
Yes your assumption is correct. (Without an exact error message) You can only enumerate membership from one domain at a time. i.e.
Get-ADGroup MyGroup -Server ContosoDC01 | Get-ADGroupMember -Recursive -Server ContosoDC01
Adding -Server highlights that you can only specify one domain that you can enumerate from at a time. Indeed, a straight up Get-ADGroupMember will list the distinguished names and SID's for the users/groups, including the SID's for the users/groups from the other domains. But that is all that AD stores, the SID of the user/group. It does not store the membership.
To get the membership requires another, separate, call to the other domain to enumerate; and most of the time, cross domain permissions are not set up to allow your current account access to the other domain, and you get:
Get-ADGroupMember : The operation being requested was not performed because the user has not been authenticated
Related
Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!
I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false
We have 3 Domains connected through a trust, and I need to remove a user from multiple groups, including some that are in those other Domains.
I can see all groups through the command:
(Get-ADGroup -Server $Domain -Filter *).SamAccountName
Receiving this information in a variable, where I make a FOREACH, to use in each group, the command:
Remove-ADGroupMember -Server $Domain -Identity "$group" -Members $User -Confirm:$false -Credential $Credential
But this does not work for when I need to remove a user who belongs to another domain.
I tried to pass the user with parameters like:
B\User
User ObjectGUID
User SID
But it does not work.
How do I remove a user belonging to domain B from a domain group A?
Remembering that there is a relationship of trust between them.
The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.
I am using powershell, v4.0
here is my code that failed.
get-adgroupmember zzapsdba_c -server nw
here is the error:
get-adgroupmember : An unspecified error has occurred
At line:1 char:1
+ get-adgroupmember zzapsdba_c -server nw
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw
I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.
If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }
I've built a script that is supposed to query for users across the forest and do a few things:
Set ExtensionAttribute2
Add the user to a domain-specific group in their own domain
Add the user to a group in the root domain
When I run this against a GC in the root domain of the forest, users in the root domain are processed just fine. Users in child domains process step #3 just file, but steps #1 and #2 cause errors.
Edit for clarification: These commands are being run against a 2012 domain controller in the root forest that is also a global catalog server. I'm running these commands as an Enterprise Admin with access to all child domains. Using these same credentials and the same server I can make all of these edits manually using Active Directory Users and Computers.
Here is the script that I've created:
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
Again, the users in the root domain process just fine. The users in the child domains hit errors on #1 (set the extensionattribute2) and #2 (add the their local domain group).
Here are the errors:
Setting ExtensionAttribute2:
SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+ SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser
Adding to the local domain group:
Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+ Add-ADGroupMember -Identity $groupscript -Members $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
I've searched all over the place but haven't found any way to figure this out yet. I've tried the following (and more):
Added -Server "ROOTGC.contoso.com:3268" to each command to see if that helped, but all it did was break those commands for everyone (including the root users who were working already).
Tried to add the individual domain servers for each domain to the end of the command (as per the variable that I populated: $domainserver), but all of the child domain DC's are Windows 2003; the servers don't accept the connection.
Moved pieces of code around to various places (making it less efficient, but what the heck - I'm trying anything).
What am I missing? Help me please!! I had to go through my CSV file manually and set what needed to be set because it had to get done tonight, but I'm going to be processing thousands of users in the next 2 weeks.
The server you run this against must have a copy of the global catalog, otherwise it won't be able to resolve the referrals. Or you must run the command against a DC of the target domain. Also, your user must have Enterprise Admin privileges in order to be able to create/modify/delete objects in other domains of the forest (or appropriate delegations must be made in the target domains).
Another problem is that the shiny AD cmdlets won't work without the Active Directory Web Service, which isn't available prior to Windows Server 2008 R2, running on all involved DCs. You can work around that by handling the foreign security principals and directory objects yourself, though:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
With that said: you do realize that Windows Server 2003 will reach end-of-life the day after tomorrow, don't you? Why are your DCs still running that antique version?
DomainA and DomainB trust each other. Some DomainB users are members of DomainA local domain groups. How can I get ForeignSecurityPrincipal in PowerShell and get list of its groups?
That was surprisingly simple:
Get-ADObject -Filter {ObjectClass -eq "foreignSecurityPrincipal"} -Properties msds-principalname,memberof
where "msds-principalname" is sAMAccountName, so I can search now through FSPs by sAMAccountName and get its groups.
You can get the list of foreign security principals in a domain by running Get-ADObject cmdlet with SearchBase set to CN=ForeignSecurityPrincipals,DC=domain,DC=com and LDAPFilter to something acceptable, like (|(objectCategory=user)(objectCategory=group)). Then, you can use this script to get its domain\username. Then you query that domain for DCs via Get-ADDomain and Get-ADDomainController, get the user object from there and run Get-ADPrincipalGroupMembership in your current domain against the retrieved user. An example (untested, as I have no env with many domains):
$ldf='(|(objectCategory=user)(objectCategory=group))'
$fspc=(get-addomain).ForeignSecurityPrincipalsContainer
$fsps = get-adobject -ldapfilter $ldf -searchbase $fspc
# got principals here
foreach ($fsp in $fsps) {
$fspsid=New-Object System.Security.Principal.SecurityIdentifier($fsp.cn)
($fspdomain, $fspsam) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")
# ^ this can throw exceptions if there's no remote user, take care
$fspdc=(get-addomaincontroller -domainname $fspdomain -discover)[0] # taking first one
$fspuser=get-aduser $fspsam -server $fspdc.hostname # use crossdomain DNS to resolve the DC
$fspgroups=get-adprincipalgroupmembership $fspuser # local query
$fspgroups # now do whatever you need with them and the $fspuser
}