Get-ADPrincipalGroupMembership acros forest RRS feed

  • Question

  • Hello I am trying to find out the groups a user belongs across domains and forests.

    The BE.LOCAL and EMEA.LOCAL domains both are member of the LOCAL forest. 

    There is a trust between the LOCAL forest and the contoso.com forest.

    I manage to find the groups when remaining in the LOCAL forest. This script lists the EMEA groups "BE\John Doe" is member of.

    Get-ADPrincipalGroupMembership -Identity  "CN=Doe \, John \, SAMID,OU=HR,OU=Common,OU=USER,DC=be,DC=local" -ResourceContextServer emea.local -Server be.local

    But when I run this script on contoso.com 

     Get-ADPrincipalGroupMembership -Identity  "CN=Doe \, John \, SAMID,OU=HR,OU=Common,OU=USER,DC=be,DC=local" -ResourceContextServer contoso.com -Server be.local


    I get this error message:

    Does any one have a suggestion?

    Thank you!

    Get-ADPrincipalGroupMembership : The operation being requested was not performed because the user has not been authenticated

    At line:1 char:2

    +  Get-ADPrincipalGroupMembership -Identity  "CN=DOE \ ...

    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (CN=DOE \, ...,DC=be,DC=local:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException

        + FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership

    Friday, November 30, 2018 12:10 PM