Solved

Get-QADGroupMember Administrators Not Working

Posted on 2014-04-03
3
707 Views
Last Modified: 2014-04-03
I'm trying to get a list of members (users/groups) within the Built-in Administrators group for the domain.

When I run the Get-QADGroup Administrators | Select Name

It returns an error:

Get-QADGroupMember : The trust relationship between the primary domain and the trusted domain failed.
At line:1 char:19
+ Get-QADGroupMember <<<<  "Administrators" | Select Name
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroupMember], SystemException
    + FullyQualifiedErrorId : System.SystemException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlets.GetGroup
   MemberCmdlet

Open in new window


I am able to successfully run the the following dsquery command, but returns the full CN path.

I would prefer to have the Get-QADGroupMember option working for consistency for my purposes, but if I am limited to the dsquery command, I would like to know how to get the results to just list the name of the Account or Group, instead of the full CN

dsquery group "DC=company,DC=com" -name "Administrators" | dsget group -members -expand

Open in new window


Thanks.
0
Comment
Question by:fireguy1125
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 500 total points
ID: 39976751
1.  If that's the error you're getting on number 1, can you verify (In AD Domains and Trusts) that the Trust between your primary domain and the trusted domain is in fact ok?  Start there and re-post with results.

2.  If you are limited to #2, use this will help the output
-o {dn | rdn | samid}
Specifies the format that dsquery uses to display the search results. A dn value displays the distinguished name of each entry. An rdn value displays the relative distinguished name of each entry. A samid value displays the Security Accounts Manager (SAM) account name of each entry. The default value is dn.

Per this link:  http://technet.microsoft.com/en-us/library/cc754525.aspx
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39976782
I actually had an invalid foreign security principal as a group member, which when removed was able to retrieve the results. Thanks for the #2 option as well.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39976812
Any time.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question