3
votes

The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.

I am using powershell, v4.0

here is my code that failed.

get-adgroupmember zzapsdba_c -server nw

here is the error: get-adgroupmember : An unspecified error has occurred At line:1 char:1 + get-adgroupmember zzapsdba_c -server nw + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

1

1 Answers

5
votes

You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:

Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw

I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.

If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.

Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }