Windows – Get-ADGroupMember $Group fails when $Group contains principals from other domains

active-directorypowershellwindows

I've noticed that when I use Powershell to get the group membership of an Active Directory domain security group, the Powershell cmdlet Get-ADGroupMember $Group fails with the error message:

PS C:\> get-adgroupmember MyGroup
get-adgroupmember : An operations error occurred
At line:1 char:1
+ get-adgroupmember MyGroup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MyGroup:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

I have tried specifying the -server $DC parameter so that the cmdlet targets a specific DC, and then I check the Security logs on that DC as I reproduce the error and no relevant security failure audits are generated. I turned up all the Diagnostics registry entries in the services\NTDS\Diagnostics key and that doesn't produce anything interesting in the Directory Services logs either.

If I remove the group members that reside in the other domain from MyGroup, the cmdlet works no problem.

Interestingly, I notice that if I run the command locally on the DC itself, it works. But when I run the command remotely from a member server, using the same user account, (who is a Domain Admin,) it fails.

Any idea what's wrong?

Best Answer

Active Directory Powershell cmdlets such as Get-ADGroupMember use Active Directory Web Services (ADWS).

A statement such as

"it works fine when I run the command locally on the server, but it fails when I run it from a remote server"

is often a red flag that the underlying problem is Kerberos Delegation.

Many services take advantage of Kerberos delegation, and ADWS is no exception.

So let's look at my Kerberos ticket-granting-ticket (TGT): 

C:\> klist tgt

Current LogonId is 0:0x95ec6

Cached TGT:

ServiceName        : krbtgt
TargetName (SPN)   : krbtgt
ClientName         : Administrator
DomainName         : FABTOSO.COM
TargetDomainName   : FABTOSO.COM
AltTargetDomainName: FABTOSO.COM
Ticket Flags       : 0xe10000 -> renewable initial pre_authent name_canonicalize
Session Key        : KeyType 0x12 - AES-256-CTS-HMAC-SHA1-96
                   : KeyLength 32 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
StartTime          : 4/21/2016 18:42:34 (local)
EndTime            : 4/22/2016 4:42:34 (local)
RenewUntil         : 4/28/2016 18:42:34 (local)
TimeSkew           :  + 0:00 minute(s)
EncodedTicket      : (size: 1109)
0000  61 82 04 51 30 82 04 4d:a0 03 02 01 05 a1 0d 1b  a..Q0..M........
0010  0b 46 41 42 54 4f 53 4f:2e 43 4f 4d a2 20 30 1e  .FABTOSO.COM. 0.
0020  a0 03 02 01 02 a1 17 30:15 1b 06 6b 72 62 74 67  .......0...krbtg
0030  74 1b 0b 46 41 42 54 4f:53 4f 2e 43 4f 4d a3 82  t..FABTOSO.COM..
0040  04 13 30 82 04 0f a0 03:02 01 12 a1 03 02 01 02  ..0.............
.........

Turn your attention toward the Ticket Flags field. Something is missing. This ticket is not forwardable.

Why would a ticket not be forwardable?

delegation

I uncheck that checkbox, flush my Kerberos tickets with klist purge, get a new tgt by performing any sort of network activity that requires getting a new tgt if I don't already have one, (gpupdate is a good example,) inspect the TGT again, and I notice that it now includes the forwardable flag.

Now the Powershell cmdlet works as expected from a member server.

When the group contains security principals (users or groups) from another domain, a referral is returned that must be chased. In order to chase that referral, ADWS must impersonate the user who made the original call. If Kerberos delegation is disabled on that user account, impersonation/delegation cannot happen.

Related Topic