I have a scenario where **Domain1** is trusted by **Domain2**, but it's a one-way trust. In **Domain2**, the **builtinAdministrators** group includes members from **Domain1**. Since **Domain2** is not trusted by **Domain1**, those members appear as foreign objects. When I run the `Get-ADGroupMember` command for the Administrators group on Domain2, I get an error message that says the server can't process the request due to an internal error. Interestingly, I can access and view all the members through the ADUC console in Domain1 without issues, but in Domain2, those foreign SIDs show up as expected due to the trust direction. If I have admin credentials for both domains, is there a workaround to generate a list of the group members?
2 Answers
Great approach! I actually wrote a script to achieve something similar. Here’s a quick primer on how it works: you set up your servers, use the `Get-ADDomain` command to find the Distinguished Name of the Builtin group, and then filter using the `objectSid` attribute. Once you have the members, you can loop through them, catch any errors, and resolve the SIDs using the other domain. This technique really streamlines the process. Let me know if you want details on the script!
It's definitely possible! The error you're encountering stems from the one-way trust setup affecting name resolution. Because Domain1 trusts Domain2, you can query from Domain1 to Domain2, but the reverse doesn't work since Domain2 can't resolve the foreign principals directly. To work around this, instead of relying on `Get-ADGroupMember`, you can manually query the member attributes in Domain2, identify which ones are foreign, retrieve their SIDs, and then resolve those SIDs in Domain1 using the credentials there. This way, you're controlling the resolution from both sides.
That sounds like a solid plan! By querying the raw attributes, you're avoiding the automated errors that can pop up. I’d definitely try running those specific queries you mentioned.
Thanks for sharing! It would be helpful to see your code. I might need to tweak it for my needs but it sounds great!