Incomplete results when querying Active Directory for group members in a situation with trust relationships

We are attempting to query Active Directory for a list of all machines that are members of a group, along with information like OperatingSystem attributes. We can't get results for every member of the group.

Environment details:

Multiple domain controllers, running Windows Server 2003 and 2008 R2.
Multiple domains, with a trust relationship between domains.
Running the AD queries from a Windows Server 2008 R2 machine.
The account querying AD is "a local admin account, member of the domain,
with admin privs on that server."
We've been informed that some machines "are members of the group via a trust relationship."

Our current test group, "Group-99", has two machines: FOO10 and FOO11.

When we query for group members, we receive the expected result, a list of all machines in the group:

PS > dsquery group -name "Group-99" | dsget group -members

"CN=FOO10,OU=Domain Controllers,DC=activedirdev,DC=widgetco,DC=com"
"CN=FOO11,OU=Portland,OU=Domain Controllers,DC=activedirdev,DC=widgetco,DC=com"

We then query for DNSHostName and OperatingSystem, but can only receive results for one of the two machines:

PS > dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(sAMAccountName=FOO11$))" -attr sAMAccountName operatingSystem
sAMAccountName    operatingSystem
FOO11$            Windows Server 2008 R2 Standard

PS > dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(sAMAccountName=FOO10$))" -attr sAMAccountName operatingSystem
PS >

None of us are Active Directory wizards so we are unsure where the problem lies. Adjusting the Active Directory setup is not possible.

Can you help us figure out how to get the information we need, or if it's even possible to get it?

Follow-up clarification: Our perfect result would be a way to issue one query that will return results for all group members, no matter what domain they are on. Something like:

PS > dsquery (stuff)
CN        operatingSystem
FOO10     Windows Server 2008 R2 Standard
FOO11     Windows Server 2003

Best Answer

The object you are querying looks like it exists in another domain. When you run DSQuery without specifying the server or domain you want to contact, you will automatically bind to the domain you logged into. This object may be in another domain.

To get the missing object, try

dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(sAMAccountName=FOO10$))" -attr sAMAccountName operatingSystem -d activedirdev.widgetco.com

Ref: http://technet.microsoft.com/en-us/library/cc754232.aspx

Best Answer

Related Solutions

Active directory group with members from multiple domains

Active Directory – Find Members of Domain Group

Related Topic