We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.
netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No
PowerShell command that fails:
Get-ADGroupMember "account operators" -Server otherdomain.local
dsget variant of it that works:
dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members
Error:
Get-ADGroupMember : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. At line:1 char:1+ Get-ADGroupMember "account operators" -Server otherdomain.local+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Full error:
Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter) at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup Member(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR outine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()