0

I am building a report on our active directory groups and am having a hard time when it comes to different forests.

We have groups from forestA with users inside from forestB. I was able to pull those groups using Quest AD:

 $GroupUsers = Get-QADGroupMember $GroupName -Type 'user' -Indirect

The only problem is that even though the users inside are from forest B, they come up showing they are from forestA. They do exist in both forests, don't know if that's a problem.

Any clue on why this happens?

Thanks in advance.

Improve this question
2
  • Can you use Powershell AD module bundled with Windows? Maybe that one doesn't have these issues. Just in case. Commented May 29, 2017 at 15:23
  • I tried but with the windows module I couldn't even find the group of a different forest. Commented May 29, 2017 at 15:29

2 Answers 2

Reset to default
1

There is -Server parameter of Get-ADGroupMember cmdlet where you may specify domain controller from another domain/forest. Something like:

Get-ADGroupMember -Identity $GroupName -Server DC.AnotherDomain.com
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Whenever I use this parameter I get the same error: Unable to contact the server. This may be because this server does not exist, it is currently down, o r it does not have the Active Directory Web Services running. Which is funny because I can connect using the QAD-getmember
Hm, you need to identify domain controller in that other forest. I don't see any other way for Quest to get that info, except from domain services in another forest. Try running this Get-ADDomainController -DomainName AnotherDomain.com and then query server which is returned.
all I get is this: Domain : ttbb.bb-group.com Forest : bb-group.com HostName : {ttao10p00053.ttbb.bb-group.com} IPv4Address : 199.xx.xx.28 IPv6Address : Name : TTAO10P00053 Site : TAO01 But querying with this information doesn't work to
0

you can query forest for domains or all global catalogs: get-adforest (properties GlobalCatalogs,Domains) - I often did something like this: I pulled the list of all SIDs in the group then checked which one belongs to my domain/forest, the rest was searched in external forest.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.