I am trying to locate the group memberships for a specified user account. One domain's user account is often a member of a group in the other domains (some domains require different admin account). Using get-QAQgroup, I can successfully search each domain individually, but when I try to loop through the domains, I can only find results in the domain that I am logged into. #Script to change domains and look for group memberships for a specified user account.
$domains = "dom1.ad.state.company.com","dom2.ad.state.company.com","dom3.ad.state.company.com","dom4.ad.state.company.com","corporate.state.company.com","OddNamedDom.com"
$CRED=GET-CREDENTIAL
$userAcc = read-host "Enter domain\username for Group Membership Search"
foreach ($domain in $domains)
{
write-host "In the domain $domain "," $userAcc is a direct member of..."
Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | select name
} #foreach domain
Connect-QADService -Service 'dom1.ad.state.company.com'
When I run the script I get results for dom1 (domain I am logged into) and the rest throw the following errors. I am not sure why the "Ref 1:.." lines are pointing to 'dom1'. I thought that might be the source of issue. I have copied the Powershell output below showing the error messages.
In the domain dom1.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Name
----
DOM1-G-ITS-DS-Company Services
DOM1PGUELFP00003-Exmerge-R
DOMPGUELFP00003-Exmerge-C
ITSPPTBOSHFS003-FSSHARE-C
Domain Users
In the domain dom2.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+ Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel
lSnapIn.Powershell.Cmdlets.GetGroupCmdlet
In the domain dom3.ad.state.company.com dom1\brownd2.admin.dom1 is a direct member of...
Get-QADGroup : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'dom1.ad.state.company.com'
At C:\TestScripts\tGet-UserAllMemberships.ps1:24 char:6
+ Get-QADGroup -service $domain -Credential $cred -Containsmember $userAcc | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.ArsPowerShel
lSnapIn.Powershell.Cmdlets.GetGroupCmdlet
There is a similar set of errors for each domain that I am checking. I have not posted the full list of error messages.
If I change the order of the domains in the array, the errors and the results of the one successful domain just change order to match the array. I thought that it might just be successful for the first iteration of the loop. Not the case though.
I know that the account is a member of groups in Dom2 and not in any groups in Dom3. If I take the commands out of the foreach loop and run individual for each domain in the console I do get the expected results. Based on the individual results, I had thought that this would be straight forward example to do in a loop, but I am not connecting correctly to the domains.
What can I change?
Here is a solution using System.DirectoryServices.AccountManagement Namespace, adapted to PowerShell from C# code. It's a kind of recursive solution. In Find Recursive Group Membership (Active Directory) using C#, I give a recursive solution (using basic ADSI avaible from PowerShell 1.0) that also works with distribution groups.