Get-ADGroupMember $Group fails when $Group contains principals from other domains

Solution 1:

Active Directory Powershell cmdlets such as Get-ADGroupMember use Active Directory Web Services (ADWS).

A statement such as

"it works fine when I run the command locally on the server, but it fails when I run it from a remote server"

is often a red flag that the underlying problem is Kerberos Delegation.

Many services take advantage of Kerberos delegation, and ADWS is no exception.

So let's look at my Kerberos ticket-granting-ticket (TGT):

C:\> klist tgt

Current LogonId is 0:0x95ec6

Cached TGT:

ServiceName        : krbtgt
TargetName (SPN)   : krbtgt
ClientName         : Administrator
DomainName         : FABTOSO.COM
TargetDomainName   : FABTOSO.COM
AltTargetDomainName: FABTOSO.COM
Ticket Flags       : 0xe10000 -> renewable initial pre_authent name_canonicalize
Session Key        : KeyType 0x12 - AES-256-CTS-HMAC-SHA1-96
                   : KeyLength 32 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
StartTime          : 4/21/2016 18:42:34 (local)
EndTime            : 4/22/2016 4:42:34 (local)
RenewUntil         : 4/28/2016 18:42:34 (local)
TimeSkew           :  + 0:00 minute(s)
EncodedTicket      : (size: 1109)
0000  61 82 04 51 30 82 04 4d:a0 03 02 01 05 a1 0d 1b  a..Q0..M........
0010  0b 46 41 42 54 4f 53 4f:2e 43 4f 4d a2 20 30 1e  .FABTOSO.COM. 0.
0020  a0 03 02 01 02 a1 17 30:15 1b 06 6b 72 62 74 67  .......0...krbtg
0030  74 1b 0b 46 41 42 54 4f:53 4f 2e 43 4f 4d a3 82  t..FABTOSO.COM..
0040  04 13 30 82 04 0f a0 03:02 01 12 a1 03 02 01 02  ..0.............
.........

Turn your attention toward the Ticket Flags field. Something is missing. This ticket is not forwardable.

Why would a ticket not be forwardable?

delegation

I uncheck that checkbox, flush my Kerberos tickets with klist purge, get a new tgt by performing any sort of network activity that requires getting a new tgt if I don't already have one, (gpupdate is a good example,) inspect the TGT again, and I notice that it now includes the forwardable flag.

Now the Powershell cmdlet works as expected from a member server.

When the group contains security principals (users or groups) from another domain, a referral is returned that must be chased. In order to chase that referral, ADWS must impersonate the user who made the original call. If Kerberos delegation is disabled on that user account, impersonation/delegation cannot happen.

Solution 2:

This behavior has changed with recent Windows Server security updates.

  • Changes to Ticket-Granting Ticket (TGT) Delegation Across Trusts in Windows Server (PFE edition)
  • Updates to TGT delegation across incoming trusts in Windows Server
  • Can't enumerate group membership of groups with FSP members after running netdom /EnableTGTDelegation:No

The secure default is now to disable TGT Delegation across forest trusts. Because of this Get-ADGroupMember will fail on groups with cross-forest Foreign Security Principals until Microsoft decides to fix the issue. Until then, one workaround is to use: Get-ADGroup -Properties member