Get-Acl from Different Domains

Question

Auditors are asking questions about ACL on certain groups in a couple of different domains. I have put together a script that returns the information I need for our primary domain (Accounts) but can't seem to get it to switch to another domain (Medco) to get the ACL for those groups. How do I switch the Get-Acl cmdlet to read the information from that other domain?

Get-Content 'U:\ad\scripts\Scripts - Input\ADGroup Permissions - Medco.txt' | ForEach-Object {
  $OutputG = $_
  $Group = "AD:" + (Get-ADgroup $_ -Server Medco).distinguishedname
  (Get-Acl $Group).access |
    Where-Object {
      $_.ActiveDirectoryRights -like "*write*" -or
      $_.ActiveDirectoryRights -like "*delete*"
    } |
    Sort-Object IdentityReference |
    Select-Object identityreference,
      @{L='Access'; E={$_.ActiveDirectoryRights -join ";"}},
      @{"n"="Group";"e"={"$OutputG"}}
} | Export-csv ".\Scripts - Output\ACL_Medco_$CurrentDate.csv" -NoTypeInformation

The scenario is I'm reading group names from a .txt file for specific domains and then a ForEach-Object to pass the group name to get the distinguishedName to use it in the Get-Acl. The first set of groups for the primary domain returns the information correctly (not showing that part). I know the groups exist in the next domain but the problem is that the Get-Acl for it throws an error saying

Get-Acl : Cannot find path 'AD:CN=Medco Infrastructure & Security,OU=Recipients -
Distribution Lists,OU=Legacy Exchange 5.5,OU=Exchange,DC=medco,DC=com' because it
does not exist.
At line:4 char:4
+   (Get-Acl $Group).access
+    ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
    + FullyQualifiedErrorId : GetAcl_PathNotFound_Exception, Microsoft.PowerShell.Commands.GetAclCommand

Answer 1

You should use New-PSDrive to create new AD query provider, instead of default one AD:. Then you will query that new drive and not default one. For example:

New-PSDrive -Name AD2 -PSProvider ActiveDirectory -Server 'DC.medco.com' -root "//RootDSE/"

$Group = 'AD2:' + (Get-ADgroup $_ -Server Medco).distinguishedname
(Get-Acl $Group).access |
. . . 

In case you want to dynamically assign server, you can use something like

(Get-ADDomainController -DomainName 'medco.com' -Discover).hostName

and if needed, domain name you can get from existing distinguishedname

If you have more than two domains, then you should use Remove-PSDrive before setting new one with the same name. Best would be to group AD groups per domain to minimize adding/removing commands.