To start I have been successfully using the following script to get all the members of the AD groups in a specific OU including those from other forests:
This works great until you get AD groups with hundreds of members which results in a timeout. So what I am trying to do is use "Get-ADGroup $Group - properties Member | Select -expandproperty Member" to get each group same as the script above which I don't know how to do that. I need to do this because the users are in a different AD forest.$Groups = Get-ADGroup -Filter * -SearchBase "OU=User Groups,OU=Admin-Groups,DC=Site,DC=Local,DC=forest1,DC=blah,DC=com" -server DC1.forest1.blah.com$Results = foreach( $Group in $Groups ){
Get-ADGroupMember -Identity $Group | foreach { [pscustomobject]@{ GroupName = $Group.Name Name = $_.Name } } }
$Results | Export-Csv -Path “\fs1.forest1.blah.com\Server Reports\user-tmp.csv”
pause
The output that I get when I enter one group is this:
I need to extract the SID in order to do the lookup but I need to have the ability to do this for each line:CN=S-1-5-21-1234567890-987654321-912837465-123456,CN=ForeignSecurityPrincipals,DC=Site,DC=Local,DC=forest1,DC=blah,DC=com CN=S-1-5-21-1234567890-987654321-912837465-123475,CN=ForeignSecurityPrincipals,DC=Site,DC=Local,DC=forest1,DC=blah,DC=com CN=S-1-5-21-1234567890-987654321-912837465-123354,CN=ForeignSecurityPrincipals,DC=Site,DC=Local,DC=forest1,DC=blah,DC=com
So at the end I can now support doing large lookups for members of our AD groups and still have it output to the CSV as originally defined in my beginning script.$user = CN=S-1-5-21-1234567890-987654321-912837465-123456,CN=ForeignSecurityPrincipals,DC=Site,DC=Local,DC=forest1,DC=blah,DC=com $user = -split ',' | Select-Object -First 1 $user = ($user).Trim('CN=') Get-ADUser -Identity $user -Server dc1.forest2.blah.com
To summarize. I need to extract the membership from all the AD groups to a CSV when dealing with two different AD forests while supporting large AD groups because of the timeouts that I am receiving and other solutions online would work only if they are in the same AD forest. I am thinking that there might need to be a loop inside of a loop because each group and its members needs to be processed/identified before moving on to the next group. This might be able to be done in a variable I suppose I just don’t know how to connect all the dots.