We have 3 Domains connected through a trust, and I need to remove a user from multiple groups, including some that are in those other Domains.
I can see all groups through the command:
(Get-ADGroup -Server $Domain -Filter *).SamAccountName
Receiving this information in a variable, where I make a FOREACH, to use in each group, the command:
Remove-ADGroupMember -Server $Domain -Identity "$group" -Members $User -Confirm:$false -Credential $Credential
But this does not work for when I need to remove a user who belongs to another domain.
I tried to pass the user with parameters like:
B\User
User ObjectGUID
User SID
But it does not work.
How do I remove a user belonging to domain B from a domain group A?
Remembering that there is a relationship of trust between them.
Related
I have figured out how to add active directory groups to a user using the following command
Add-ADGroupMember -Identity "Group Name" -Members "UserName"
Is there a way to add multiple groups to a user or multiple users to a group? I have tried comma separating the users and groups but it doesn't seem to work.
get-aduser username | Add-ADPrincipalGroupMembership -MemberOf "group1","group2"
I have the script below to give me the distinguished name for groups in a spreadsheet I have. The issue is, the groups are located in another domain. How do I point my script to that domain? Issue is I know I have to be logged in to that domain to run it but I cant.
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group | Select-Object distinguishedName
}
The cmdlets in the Active Directory module support passing in the value of the domain controller you are wanting to query. By default when you call Get-ADGroup (or any of the other) it will validate what domain it should query by checking the domain of your current machine.
The other option is to provide the -Server (doc) with the value of the Active Directory Domain Services you want to execute your query against.
You can also provide the -Credential parameter with a PSCredential object that contains your login for that other domain. This is required if the current login of your PowerShell session is not authorized to authenticate against that other domain.
So your example script would look something like this:
$AdDomain = "whatever.company.local"
$adCred = Get-Credential
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group -Server $AdDomain -Credential $adCred | Select-Object distinguishedName
}
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I'm trying to build a script identifying all members and nested members of the Administrators group. My company currently has 20+ domains, majority of which are not integrated. Instead, we simply build a trust between domains following acquisition. The problem is the Administrators group for these domains often has members from one of the external but trusted domains. If i run Get-ADGroupMember I have no problem, but if I run Get-ADGroupMember -Recursive it errors our. I'm assuming the issue is PS trying looking for the nested membeship of a group located on one of our trusted domains but looking only on the current domain of the Administrators group.
PowerShell Script (replaced server with example domain):
$ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Resulting Error Message (replaced server with example domain):
PS H:\> $ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Get-ADGroupMember : There is no such object on the server
At line:2 char:1
+ Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=Administrato...e,DC=domain,DC=com:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundExc
eption
+ FullyQualifiedErrorId : There is no such object on the server,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
From the docs for Get-ADGroupMember:
Notes
This cmdlet does not work when a group has members located in a
different forest, and the forest does not have Active Directory Web
Service running.
Yes your assumption is correct. (Without an exact error message) You can only enumerate membership from one domain at a time. i.e.
Get-ADGroup MyGroup -Server ContosoDC01 | Get-ADGroupMember -Recursive -Server ContosoDC01
Adding -Server highlights that you can only specify one domain that you can enumerate from at a time. Indeed, a straight up Get-ADGroupMember will list the distinguished names and SID's for the users/groups, including the SID's for the users/groups from the other domains. But that is all that AD stores, the SID of the user/group. It does not store the membership.
To get the membership requires another, separate, call to the other domain to enumerate; and most of the time, cross domain permissions are not set up to allow your current account access to the other domain, and you get:
Get-ADGroupMember : The operation being requested was not performed because the user has not been authenticated
Let's assume I have an AD-user in domain A which is in an AD-Group in domain B and my client is in domain C.
I want to remove the user from the group in PowerShell, but I really can't figure out how I can solve this problem using Remove-ADGroupMember or Remove-ADPrincipalGroupMembership since I can only pass one domain there.
I assume that domains A & B are not in the same forest, but are trusted.
The issue is that you're not removing a direct reference to the user: You're removing a Foreign Security Principal, which is an object on the same domain as the group that references the account in the trusted domain. I talk about this in a little more detail in an article I wrote: What makes a member a member?.
None of the PowerShell cmdlets seem to be able to handle these. But you can use .NET's DirectoryEntry class to do this. Here is an example ($username and $groupname are the names of the account and the group):
$u = Get-ADUser -Server domainA.com $username
#Get the Foreign Security Principal object for the user
$fsp = Get-ADObject -Server domainB.com -Filter "objectSid -eq '$($u.SID)'"
#Get the group
$g = Get-ADGroup -Server domainB.com $groupname
#Get a DirectoryEntry for the group (which is what the [ADSI] notation creates)
$group = [ADSI]"LDAP://domainB.com/$($g.DistinguishedName)"
#Remove the FSP from the group
$group.Properties["member"].Remove($fsp.DistinguishedName)
$group.CommitChanges()
You can use below cmdlet to remove foreign principal objects from groups
set-adgroup -remove #{member='cn=S1-5-blah-blah-blah'}
Steps:
get the DistinguishedName of foreign principal member
$mem = (get-ADGroup 'GroupName' -property members).members |where {$_ -like "CN=S-1-5-21-BLAHBLAH"}
set-ADGroup -remove #{member=$mem}
You can also use Set-ADgroup -clean member to empty group membership including foreign principal objects.
DomainA and DomainB trust each other. Some DomainB users are members of DomainA local domain groups. How can I get ForeignSecurityPrincipal in PowerShell and get list of its groups?
That was surprisingly simple:
Get-ADObject -Filter {ObjectClass -eq "foreignSecurityPrincipal"} -Properties msds-principalname,memberof
where "msds-principalname" is sAMAccountName, so I can search now through FSPs by sAMAccountName and get its groups.
You can get the list of foreign security principals in a domain by running Get-ADObject cmdlet with SearchBase set to CN=ForeignSecurityPrincipals,DC=domain,DC=com and LDAPFilter to something acceptable, like (|(objectCategory=user)(objectCategory=group)). Then, you can use this script to get its domain\username. Then you query that domain for DCs via Get-ADDomain and Get-ADDomainController, get the user object from there and run Get-ADPrincipalGroupMembership in your current domain against the retrieved user. An example (untested, as I have no env with many domains):
$ldf='(|(objectCategory=user)(objectCategory=group))'
$fspc=(get-addomain).ForeignSecurityPrincipalsContainer
$fsps = get-adobject -ldapfilter $ldf -searchbase $fspc
# got principals here
foreach ($fsp in $fsps) {
$fspsid=New-Object System.Security.Principal.SecurityIdentifier($fsp.cn)
($fspdomain, $fspsam) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")
# ^ this can throw exceptions if there's no remote user, take care
$fspdc=(get-addomaincontroller -domainname $fspdomain -discover)[0] # taking first one
$fspuser=get-aduser $fspsam -server $fspdc.hostname # use crossdomain DNS to resolve the DC
$fspgroups=get-adprincipalgroupmembership $fspuser # local query
$fspgroups # now do whatever you need with them and the $fspuser
}