Query Group Members from Trusted Forest AD

This topic contains 4 replies, has 3 voices, and was last updated by  Bill Cancel 1 year, 9 months ago.

  • Author
  • #52867

    Bill Cancel

    Here is my scenario need a little help

    Trying to query group members from a trusted forest with members in both forest

    I am in Forest 1
    Forest 2 hosts the group
    Forest 2 trusts forest 1
    Group has members from both forests

    When I use Quest cmmdlets and run

    connect-qadservice -service 'forest2.com:3268'
    get-qadgroup 'Grou_Name' | foreach { $_.member }

    It works but lists names (DNC) of users in Forest 2 and Sids (CN=S-1-5-21-xxxxxxxx) for forest 1 as they are FSPs

    How can I put the results in a variable and resovle the sids for forest 1 users and have a full list for both sides?


  • #52980

    Paul Frankovich

    This worked for me using the Quest snap-in

    Connect-QADService -Service 'forest2.com'
    Get-QADGroupMember -Identity 'Group Name From Forest 2' | Select DN
  • #53002

    Bill Cancel

    nope unfortunatley that still returns sids for users in forest 1.
    One thing I did realize running your I get a hresult – aka server cannot be conntacted error from forest 1.

    This DC is in a DMZ so may be a port issue. But if i run yours from a DC in that same dmz I still get the sids. Seems I can connect over 3268

    I may have to look (or ask for suggestions) for an adsi solution to grad all then resolve sids from forest1's DC

  • #53798

    Nathan Todd

    You need to translate the SIDs for the FSPs:

    $objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1454471165-1004335555-1606985555-5555")
    $objUser = $objSID.Translate([System.Security.Principal.NTAccount])

    Source: PowerShell Working with SIDs

    • This reply was modified 1 year, 9 months ago by  Nathan Todd.
  • #53909

    Bill Cancel

    is there a good way to throw all of them in a variable to resolve? I may have 100 or more sids to resolve per group. thanks

You must be logged in to reply to this topic.