Printable View
When I run Dsget on a group to get is members, all of the users that
are from a trusted domain show as SIDs. I like to get the disaply
name like I do for users that are local to the domain. If I pull the
group up in AD users and Computers it auto resolves the name for the
trusted domain. Only thought I have is to connect to the trusted
domain and resolve the SID to the name. Any thoughts on what I can do
that my be easier?
Thanks
Each time an object from a trusted domain is added to an AD group in your
domain, a foreign security principal is created in the
ForeignSecurityPrincipal container in the trusting domain.
I ran into the same issue a few years back. I was able to get around it by
dumping the SIDs to a text file, and then using that text file to search for
the SIDs in the Foreign Security Principal container.
I suggest you dump the SIDs to a text file, and then use the For command to
loop through that text file to run ADFind. You can use the SID as the filter
in AD Find. For example,
For /f "delims=&" %I in (List.txt) do Adfind -b dc=domain,dc=com -f
"objectSid=%I" displayName -csv
I have to admit that it was a few years back that I had to do this, so I am
going by memory. If you cannot get it to work, let me know and I will bring
up a VM and find out what I did to get it to work in the past.
--
JPolicelli, MVP - Directory Services
This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.
http://johnpolicelli.wordpress.com/
----
"Jeremy Smith" <[email protected]> wrote in message
news:c8670d93-57b9-4a0a-827b-6d413b7bc016@x14g2000yqk.googlegroups.com...
> When I run Dsget on a group to get is members, all of the users that
> are from a trusted domain show as SIDs. I like to get the disaply
> name like I do for users that are local to the domain. If I pull the
> group up in AD users and Computers it auto resolves the name for the
> trusted domain. Only thought I have is to connect to the trusted
> domain and resolve the SID to the name. Any thoughts on what I can do
> that my be easier?
>
> Thanks
Jeremy,
what syntax are you using? dsget group with the -members switch seems to be
working for me. Alternatively, you might want to pipe the output to the
dsget user command to extract whatever parameters you might need...
hth
Marcin
"Jeremy Smith" <[email protected]> wrote in message
news:c8670d93-57b9-4a0a-827b-6d413b7bc016@x14g2000yqk.googlegroups.com...
> When I run Dsget on a group to get is members, all of the users that
> are from a trusted domain show as SIDs. I like to get the disaply
> name like I do for users that are local to the domain. If I pull the
> group up in AD users and Computers it auto resolves the name for the
> trusted domain. Only thought I have is to connect to the trusted
> domain and resolve the SID to the name. Any thoughts on what I can do
> that my be easier?
>
> Thanks
Jeremy,
to clarify, this works for domains within the same forest. If your trusted
domain is part of a separate forest, this approach will not work. You can
use the workaround described by John in his post - or, if you have at least
one Windows Server 2008 Domain Controller, you can query for the value of
msDS-PrincipalName attribute (adfind from joeware.net would be able to
extract this info for you)...
hth
Marcin
"Marcin" <[email protected]> wrote in message
news:[email protected]...
> Jeremy,
> what syntax are you using? dsget group with the -members switch seems to
> be working for me. Alternatively, you might want to pipe the output to the
> dsget user command to extract whatever parameters you might need...
>
> hth
> Marcin
>
>
> "Jeremy Smith" <[email protected]> wrote in message
> news:c8670d93-57b9-4a0a-827b-6d413b7bc016@x14g2000yqk.googlegroups.com...
>> When I run Dsget on a group to get is members, all of the users that
>> are from a trusted domain show as SIDs. I like to get the disaply
>> name like I do for users that are local to the domain. If I pull the
>> group up in AD users and Computers it auto resolves the name for the
>> trusted domain. Only thought I have is to connect to the trusted
>> domain and resolve the SID to the name. Any thoughts on what I can do
>> that my be easier?
>>
>> Thanks
>
>