Using Get-ADGroup Member recursively across multiple domains in a Forest

Quick question for the gurus around here....

We are using a script that is querying the Local Administrators group on a Server.   It will pull the Users as well as the Groups that are a member of the Local Admins group on a server/system and using the recursive parameter with Get-ADGroupMembers,  it will also list the members of any groups.  However, we seem to hit a snag when a Group is a member of another domain or even if the group is a member of the parent domain/forest.

For example...One of the Members of the Local Admin group on a server is the "Enterprise Admins".  This group lives in "Corp.Fabrikam.com" yet the server is one level deeper in "ChildDomain.Corp.Fabrikam.com".  So of course, when looking in the Child Domain there is no Enterprise Admins group for it to find and it gives us an error that it can not be found.  Samething for Groups that live in other child domains of the forest (ChildDomain2.corp.Fabrikam.com)

I am trying to figure out how to get the command to distinguish between these differences of the Group accounts and return the results from the domain those accounts live in.   Any ideas if this is normal behavior or if there is a work around?


Thanks!

March 30th, 2015 2:27pm

You have to chase the answer.  If you do not have permissions on those domains you cannot retrieve the info.  I suspect it is your script that is wrong and not AD because AD tends to work as required.

In other words.  Without a script we cannot be of much help.

Free Windows Admin Tool Kit Click here and download it now
March 30th, 2015 7:41pm

Sorry JVR...I did not post a script as I did not think it was really a script question...more of a does this command support cross domain or forest inquires. However after looking at the Command specifics I think we determined it doesn't by default.
March 31st, 2015 12:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics