Get Nested Local and Foreign Security Principles of AD Groups and Their Parent Group Using PowerShell

While working on a Citrix Cloud migration project in a multi-forest environment, there was a need to migrate existing AD group members that were used on-prem to Azure AD groups.

To do this, I needed to report of current group membership for all Citrix-published apps. There was also a requirement to know the parent group of each user since there were many randomly nested groups from the local domain and other domains from trusted forests that were not necessarily needed.

The challenge was that many of those groups had foreign principals (and possibley orphened) in other domains/forests as well as other nested groups:

Parent GroupUser/GroupDomain
Group AGroup
Example Group Structure

You would think Get-ADgroupMember with a -recursive switch should cater for such, however, the command only returns one or more principal objects that represent users, computers, or groups that are members of the specified group. It doesn’t return members of other trusted forests. It also will cause the cmdlet to return an unspecified error if any foreign principal member of the queried group is orphaned and no longer exists in their original domain.

The way around this is to use Get-ADGroup Cmdlet and look at the Member property.This propery lists the distiguishedname of all member of an AD group includeing foregin security principals.

Knowing this, we can pipe this data into Get-ADObject and get the Object SID. We can then use the SecurityIdentifier .Net class with the Translate Method to get the NTAccount Name from the SID.

From here we go and get the actual object from its original domain using an LDAPQuery. To do this, we workout the domain name using the NetBiosName

If the object is not found in its original domain, a PSObject is created with a set of properties and added to the results array

If the object is found and it was for a user object, we use LDAP to get the object properties from the original domain.

If the found object was a group, the function calls itself for the said group recursively

Finally, if the object was not a foreign security pricipal i.e. local to the domain of its parent group, we use Get-ADObject as normal to fetch the data

The function can be downloaded from my Github Repo. Examples of usage can be found in the function help.

Happy scripting!

Get Nested Local and Foreign Security Principles of AD Groups and Their Parent Group Using PowerShell

Cloud | EUC | Virtualisation | Enterprise Mobility | DevOps | Automation | Part-Time Blogger | Fitness

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: