2
votes

Running the following cmdlet works for all users in the group membership (group in Amer domain), regardless of what domain the user listed resides in:

Get-ADGroupMember <group_name> -Server amer

However, when trying to get details on the users by piping to Get-ADUser, I get errors for the users in a different domain (EMEA) then the group (AMER):

Get-ADGroupMember <group_name> | Get-ADUser

Here is the error returned after each user in a different domain (error users in EMEA domain):

Get-ADUser : A referral was returned from the server
At line:1 char:46
+ Get-ADGroupMember GBL-Storage-Admin-NAS-L2-U|Get-ADUuser
+                                              ~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (CN=EMASAN-    WARNE...C=pfizer,DC=com:ADUser) [Get-ADUser], ADReferralException
    + FullyQualifiedErrorId : A referral was returned from the     server,Microsoft.ActiveDirectory.Management.Commands.GetADUser

I can lookup each error user by specifying get-aduser <user> -Server EMEA, but that is manual painfull when there is a lot of users.

How can I get the pipe to Get-ADUser to work with users in other domains?

3
That works, Much thanks!Fragtzack

3 Answers

2
votes

Basically, you need to query a DC that holds the global catalog if you want to chase referrals to other domains (see here). DCs holding the global catalog can be determined like this:

$gc = Get-ADForest 'example.org' | Select-Object -Expand GlobalCatalogs -First 1

where example.org is the FQDN of your forest root domain.

2
votes

For the sake of clarity, currently, the native cmdlets do not have this capability. Selecting a global catalog does not allow you to chase referrals. As defined in your link --

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.

You still appear to end up with a user object that you can use though so it's a good workaround.

2
votes

I managed the similar issue just by checking what the referral is, something like

try {
    Get-ADUser -Filter {samAccountName -eq "SomeUser"} -SearchBase "DC=other_city,DC=example,DC=com" -Server example.com
} Catch {
    $_.Exception.Referral
}

From its output I get a correct server for the user I asked for.