Get recurse AD Group details with foreign principals

PowerShell Help
1

Hi Team,

I am using below function to get AD group details along with foreign principals. However I want to get recurse data of AD group along with foreign principals:

    function Get-AdGroupForeignMembers
    {
       param(
                  [string]$group
       )

$translatedMembers = @()

$members = (Get-ADGroup $group -Properties member).member
foreach($m in $members)
{
    $orphan = $false
    $name = ""
    $dn = $([adsi]$("LDAP://$m")).DistinguishedName
    $ado = Get-ADObject -Identity $($dn)
    if($ado.Name -match "^S-\d-\d-\d\d")
    {
        
        try 
        {
            $name =  ([System.Security.Principal.SecurityIdentifier] $ado.Name).Translate([System.Security.Principal.NTAccount])
        }
        catch 
        {
            $name = $ado.Name
            $orphan = $true
        }

    }
    else 
    {
            $name = $ado.Name
    }

    $translatedMembers += [PSCustomObject] @{
        Member = $name
        Orphaned = $orphan
    }
}

Write-Output $translatedMembers
}

Can anyone please help me with AD group details with recurse and foreign principals. Any help would be appreciated.

The reason for this is I am working on File servers migration from one domain to another and I am facing issues in that.
I want to match both domain groups data in recursive.
Processing: Get-ForignPrincipals.txt…

Regards
Jatinder Pal Singh

2

What’s your actual question here? Is there something not working? Does your code not produce the output you’d expect? You explained what you want and some code but not what the problem is you’re facing. :wink:

Shouldn’t …

Get-ADGroupMember -Identity '<Group Name>' -Recursive

… actually do the job? I don’t have experiences with diffent domains but I’d expect you can distinguish accounts from different domains with their DistinguishedNames.

3

Hi @Olaf ,

Thanks for your quick response. Let me explain the issue.

We have 2 domains with bi-directional trust.

  1. Old Domain
  2. New Domain

Old domain will be decom in coming months so I am working on project to migrate our all file servers and their shares to new domain. However we will still have old domain name space DFS file share till it is decom. So we need to map the permissions for both the domains.

Now the issue will occur when users use old DFS name space share from new domain ID. The problem is we can’t add Domain Local groups from old domain to new domain. We are left with only option to map both domain groups user.

There are new domain users added in old domain group at the time of domain migration may be done by third party using some tools.

When I fetch ADGroup member of old domain, it doesn’t give output because that group has new domain users added as foreign principals. So I am using above function to fetch users even if they are foreign principals. That function works only to fetch parent group members and doesn’t have recurse option. I want to have recurse option where I can get group’s recurse data as well as foreign principals.

So Get-ADGroupMember -Identity ‘’ -Recursive gives below error due to foreign principals in the group:

 Get-ADGroupMember : The operation completed successfully
 At line:1 char:1
+ Get-ADGroupMember -Identity '<Group Name>'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: ('<Group Name>':ADGroup) [Get-ADGroup
Member], ADException
+ FullyQualifiedErrorId : The operation completed successfully,Microsoft.Acti
veDirectory.Management.Commands.GetADGroupMember

We don’t have any option apart from matching groups data manually. So I am looking for something to add new in above function or complete new way to fetch recurse along with foreign principals of group.

Thanks
Jatinder