Here is my scenario need a little help
Trying to query group members from a trusted forest with members in both forest
I am in Forest 1
Forest 2 hosts the group
Forest 2 trusts forest 1
Group has members from both forests
When I use Quest cmmdlets and run
connect-qadservice -service ‘forest2.com:3268’
get-qadgroup ‘Grou_Name’ | foreach { $_.member }
It works but lists names (DNC) of users in Forest 2 and Sids (CN=S-1-5-21-xxxxxxxx) for forest 1 as they are FSPs
How can I put the results in a variable and resovle the sids for forest 1 users and have a full list for both sides?
Thanks
This worked for me using the Quest snap-in
Connect-QADService -Service 'forest2.com'
Get-QADGroupMember -Identity 'Group Name From Forest 2' | Select DN
nope unfortunatley that still returns sids for users in forest 1.
One thing I did realize running your I get a hresult - aka server cannot be conntacted error from forest 1.
This DC is in a DMZ so may be a port issue. But if i run yours from a DC in that same dmz I still get the sids. Seems I can connect over 3268
I may have to look (or ask for suggestions) for an adsi solution to grad all then resolve sids from forest1’s DC
You need to translate the SIDs for the FSPs:
$objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1454471165-1004335555-1606985555-5555")
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$objUser.Value
Source: PowerShell Working with SIDs
is there a good way to throw all of them in a variable to resolve? I may have 100 or more sids to resolve per group. thanks