Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1421
  • Last Modified:

Is it possible to export AD group members from another domain, not just the local domain?

Two domains in one forest.
Getting ready for domain merge, but wanted to export AD group members for backup.
Using AD Powershell on 2008 Server R2 in target domain.
Success in running get-adgroupmember but only shows local members, not members from the other domain
0
mdb1008
Asked:
mdb1008
  • 6
  • 5
  • 3
2 Solutions
 
Dale HarrisProfessional Services EngineerCommented:
mdb1008,

With Quest Powershell CMDlets, you can use this command:

Get-QADGroupMember -Service "domain.name" if you want to connect to a different domain.

HTH,

Dale Harris
0
 
mdb1008Author Commented:
mkline71,
Thanks for the added zone.  I tried to find the powershell zone to add myself, but probably just didn't look in the right places.

Daleharris,
I saw the Quest Powershell CMDlets today when I googled this, but did not get the chance to download and try it yet.  I just downloaded the free Quest zip file and will take it to work in the morning to test it out.  I'll post and let you know the results.  It really looks pretty simple...
0
 
Dale HarrisProfessional Services EngineerCommented:
Quest CMDLets are the preferred method of dealing with AD even with the AD CMDlets Microsoft put out with the newest version of Powershell.  I'm looking forward to seeing if it works as easy as advertised :)

Dale Harris
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Krzysztof PytkoActive Directory EngineerCommented:
Syntax for Quest PowerShell (Quest PS can be downloaded from http://www.quest.com/powershell/activeroles-server.aspx)

 
Get-QADGroup -SearchRoot "dc=domain,dc=local" "GroupName" | Get-QADGroupMember -Indirect | Get-QADUser | select givenName,sn,sAMAccountName

Open in new window


for 2008 R2 I cannot provide syntax because I have no access to 2008R2/Win7, now and I'm not expert in PS to get from memory ;)

Regards,
Krzysztof
0
 
mdb1008Author Commented:
Okay, the Quest software is as simple as it looks.  I was able to connect to the other domain on the first try using Dale Harris suggested CMDlet.  I still have the problem I originally had though.  I need to be able to export to csv or text file ALL members of the group in one domain (including members from the other domain).  Connecting to the other domain doesn't help with this since the group is not in the other domain.  Does this make sense?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Try this

 
Get-QADGroup -SearchRoot "dc=domain,dc=local" "GroupName" | Get-QADGroupMember -Indirect | Get-QADUser | select givenName,sn,sAMAccountName | Export-CSV c:\members.csv

Open in new window


Krzysztof
0
 
Dale HarrisProfessional Services EngineerCommented:
Yes, that makes sense now that I've read it a couple times :)

So when you do a full get-qadgroupmember on the group and look at the results, you're saying none of the people from the other domain are even showing up as contacts?

Please let me know how they are being seen by your group.

If you have SOMETHING from the other domain, but it's not an exact user account, then we can do a search on referenced account with a subsequent command.

Or if that approach doesn't work, we can go through each user account in the other domain and look for a group membership pointing back to your 1st domain.

Are you following so far?

Lastly, exporting to a text file is the easiest part of the problem, so no issues there once we can find all the users.

HTH,

Dale Harris
0
 
mdb1008Author Commented:
Thanks to both of you.  The exporting to .csv file I already figured out while waiting for a reply.

Krzysztof's command only showed members from local domain, not the other domain.

To answer Dale's question:  In AD there is an OU for this other domain but members are listed with "@otherdomain.com" after their username.  They show up on security or distribution group "Members" tab in that format - "username@otherdomain.com".

Does this help?

0
 
Krzysztof PytkoActive Directory EngineerCommented:
Command should display all users :) (in my env shows people from different domains )

@domain.name is a UPN (User Principla Name) Maybe you want to add it to display?

then in after select sAMAccountName,givenName,sn,UserPrincipalName

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
It should show users from all domains, because Get-QADUser uses user's Distinguished Name to get specified data in the output :]

Krzysztof
0
 
mdb1008Author Commented:
Krzysztof,
The problem is not that the UserPrincipalName is not displayed.
The problem is the other domain members in the group are not displayed.
This might not be something Quest Powershell can do since the other domain users are only in the group as contacts.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK then :) wait for PS expert :]
I don't know how to get contact in PS

That syntax works only for user's accounts

Wish you luck

Krzysztof
0
 
mdb1008Author Commented:
Okay, I found software that does this stuff for me.  ADManagerPlus actually listed everyone in all Distribution Groups and Security Groups and let me export to .csv or .pdf.  I downloaded the 30 day trial version.  The only thing I cannot do is connect to the other domain, but that is not necessary now as I can remote to the other domain and run the trial software from there as well.

Thanks to both of you for your help with this.  If I did not have contacts both of you would have resolved my issue.  I am splitting the points between you both.
0
 
mdb1008Author Commented:
The solution provided here did not work for me due to there being contacts in the group rather than users, but this solution will work for anyone that has multiple domains with members of groups being users.

Thanks for all the help!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now