Author Posts

August 31, 2016 at 7:52 pm

Here is my scenario need a little help

Trying to query group members from a trusted forest with members in both forest

I am in Forest 1
Forest 2 hosts the group
Forest 2 trusts forest 1
Group has members from both forests

When I use Quest cmmdlets and run

connect-qadservice -service 'forest2.com:3268'
get-qadgroup 'Grou_Name' | foreach { $_.member }

It works but lists names (DNC) of users in Forest 2 and Sids (CN=S-1-5-21-xxxxxxxx) for forest 1 as they are FSPs

How can I put the results in a variable and resovle the sids for forest 1 users and have a full list for both sides?

Thanks

September 1, 2016 at 12:48 pm

This worked for me using the Quest snap-in

Connect-QADService -Service 'forest2.com'
Get-QADGroupMember -Identity 'Group Name From Forest 2' | Select DN

September 1, 2016 at 1:26 pm

nope unfortunatley that still returns sids for users in forest 1.
One thing I did realize running your I get a hresult – aka server cannot be conntacted error from forest 1.

This DC is in a DMZ so may be a port issue. But if i run yours from a DC in that same dmz I still get the sids. Seems I can connect over 3268

I may have to look (or ask for suggestions) for an adsi solution to grad all then resolve sids from forest1's DC

September 8, 2016 at 4:41 am

You need to translate the SIDs for the FSPs:

$objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1454471165-1004335555-1606985555-5555")
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser.Value

Source: PowerShell Working with SIDs

  • This reply was modified 2 years ago by  Nathan Todd.

September 8, 2016 at 3:09 pm

is there a good way to throw all of them in a variable to resolve? I may have 100 or more sids to resolve per group. thanks