Query Group Members from Trusted Forest AD

Here is my scenario need a little help

Trying to query group members from a trusted forest with members in both forest

I am in Forest 1
Forest 2 hosts the group
Forest 2 trusts forest 1
Group has members from both forests

When I use Quest cmmdlets and run

connect-qadservice -service ‘forest2.com:3268
get-qadgroup ‘Grou_Name’ | foreach { $_.member }

It works but lists names (DNC) of users in Forest 2 and Sids (CN=S-1-5-21-xxxxxxxx) for forest 1 as they are FSPs

How can I put the results in a variable and resovle the sids for forest 1 users and have a full list for both sides?


This worked for me using the Quest snap-in

Connect-QADService -Service 'forest2.com'
Get-QADGroupMember -Identity 'Group Name From Forest 2' | Select DN

nope unfortunatley that still returns sids for users in forest 1.
One thing I did realize running your I get a hresult - aka server cannot be conntacted error from forest 1.

This DC is in a DMZ so may be a port issue. But if i run yours from a DC in that same dmz I still get the sids. Seems I can connect over 3268

I may have to look (or ask for suggestions) for an adsi solution to grad all then resolve sids from forest1’s DC

You need to translate the SIDs for the FSPs:

$objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1454471165-1004335555-1606985555-5555")
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])

Source: PowerShell Working with SIDs

is there a good way to throw all of them in a variable to resolve? I may have 100 or more sids to resolve per group. thanks