get-adgroupmember and foreign security principal

i have put few powershell commands list users in our domain bulitin\administrators group , our domain admins group. nice if want audit has god-like permissions in environment.

to these lists domains in forest:

 $f = get-forest
 $f.domains | {
    $domain = $_
    $admin = "admin-" + $domain + ".csv"
    $da = "da-" + $domain + ".csv"
           get-adgroup administrators -server $domain | get-adgroupmember -recursive | select name,samaccountname | export-csv $admin
           get-adgroup "domain admins" -server $domain | get-adgroupmember -recursive | select name,samaccountname | export-csv $da
 }

this give csv files users permissions 2 groups every domain in forest.
great information auditors, or admin, can see has power.

now, have problem.

in 1 of builtin\administrators groups, have foreign security principal left on long time ago when migrated forest. when get-adgroupmemer runs against administrator group in domain, fails. script works charm everywhere else.

has else come across powershell issues around foreign security principals?
ideas on how work around this?

obviously first idea delete foreign object. debating this, not comfortable doing yet.

please, if can.

thanks
tom.

   

thanks everyone's responses, found our optimal solution. got approval remove foreign security objects.

yan, solution looked feasible, however, get-adgroupmember command fail before getting each statement.

mario, error received below. caught error last time today before removed objects groups..... since have removed objects, not able continue investigation solution.

thanks again gave thought!!  moving on now...

tom

---------- error received when attampting list group members of group contained foreign security object ---------

get-adgroupmember : server unable process request due internal error.  more information error, either turn on includeexceptiondetailinfaults (either servic
ebehaviorattribute or <servicedebug> configuration behavior) on server in order send exception information client, or turn on tracing per microsoft .net fra
mework 3.0 sdk documentation , inspect server trace logs.
@ d:\software\scripts\ad\administrators\get-admingroupmembers.ps1:12 char:62
+     get-adgroup administrators -server $d | get-adgroupmember <<<<  -recursive | select name,samaccountname,distinguishedname | sort name | export-csv $adminexp
    + categoryinfo          : notspecified: (cn=administrato...stworlds,dc=com:adgroup) [get-adgroupmember], adexception
    + fullyqualifiederrorid : server unable process request due internal error.  more information error, either turn on includeexceptiondetailinfaults (either
   servicebehaviorattribute or <servicedebug> configuration behavior) on server in order send exception information client, or turn on tracing per mi
  crosoft .net framework 3.0 sdk documentation , inspect server trace logs.,microsoft.activedirectory.management.commands.getadgroupmember

yan, solution looked feasible, however, get-adgroupmember command fail before getting each statement.

Windows Server  >  Windows PowerShell