How to search a different Active Directory Domain with Powershell Get-ADGroupMember

22 June,2018 by Jack Vamvas

Question: I'm using the Powershell Get-ADGroupMember  to  iterate through various  Groups and return the members. This is working OK - as long as I'm searching  in AD groups which are on the same domain server as the server I'm currently logged on.

For example - I've logged onto the domain : mydomain1.admin.net . I have authority to check AD groups in this domain. But if I then attempt to do a search on another domain e.g mydomain2.admin.net , even though the domain is in the same AD farm , the Get-ADGroupMember will not find the group.

To make things more confusing - if there is a  mydomain2 AD group nested in a mydomain1 AD groups and I use Get-ADGroupMember than the Powershell cmdlet will return all the members , including the nested group. 

Yet , If I attempt to search only the mydomain2 group - NO GO!

 

Is there a way to search directly on another domain using Get-ADGroupMember?

Answer: The behaviour you've outlined is the way it works. Now, if you want to access the other domain directly but within the same Active Directory , than this can be completed by using Get-ADGroupMember and the -server switch. 

This is an example of how you would use the -server switch . This assumes your current logon is resolved on mydomain1.admin.net but then you need to check the AD group on mydomain2.admin.net 

 

Get-ADGroupMember -server 'mydomain2.admin.net'  -identity 'DBASupport' -Recursive

 

Once you access the data there are all sorts of usages - commonly I use  the Powershell Get-ADGroupMember  method to get base data for SQL Server security audits , it audit, certification , 

How to get DOMAIN login name with Powershell Get-ADGroupMember

How to Export Active Directory Group Members with Powershell Get-ADGroupMember 

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on How to search a different Active Directory Domain with Powershell Get-ADGroupMember


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer