Unable to retrieve cross domain users with get-adgroupmember -recursive

Question

I am tasked to provide a list of AD group members from a number of AD groups and export it to .csv. If any of the AD groups in question has even one cross-domain user, my script fails.

Get-ADGroupMember : An operations error occurred
At C:\users\user1\desktop\ps2.ps1:5 char:1
Get-ADGroupMember -recursive $group | ForEach-Object {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Amazing-ADGroup:ADGroup) [Get-ADGroupMember], AD
   Exception
    + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

My script then exports all of the AD Groups I need but does not populate the users that belong to different domain

The AD is like:

Parent-Domain
Sub-Domain1 -> has all the AD Groups I am querying
Sub-Domain2
Sub-Domain3
Sub-Domain4

I have tried everything I could online from other's having the same problem as me but couldn't make it work for my case.

$Groups = Get-ADGroup -Filter * -SearchBase 'OU=,OU=,OU=,DC=,DC=,DC='
$Groups | ForEach-Object {
$group = $_.Name
$members = $null
    Get-ADGroupMember -recursive $group | ForEach-Object {
        If($members) {
              $members=$members + ";" + $_.Name
           } Else {
              $members=$_.Name
           }
  }
New-Object -TypeName PSObject -Property @{
      GroupName = $group
      Members = $members
     }
} | Export-CSV "C:\temp\AD-Group-Members.csv" -NoTypeInformation -Encoding UTF8

Answer 1

I think this is not a problem in your powershell script, but of the scope of the groups. The group scope has to be 'universal', to get the members from other domains.

You could also try to query the global catalog.If your domaincontroller has also the global catalog activated, you can query him with the "Server" parameter. The global gatalog normally listens on port 3268

Get-ADGroupMember -Identity $group -Recursive -Server domaincontroller.domain.com:3268