This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 57.00000000000001%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
I am preparing and testing to do an ADMT migration from a trusted forest migrating to a child domain. I migrated some users as a test. Some of our web applications broke when the app tried to check group membership. I did not change any groups - I only migrated user accounts.
Source: SourceDomain.Com
Trusted: ParentDomain.com
Target: Child.ParentDomain.com
Groups are domain local in ParentDomain.com and contain users from Sourcedomain.com.
User accounts migrated from SourceDomain.com to Child.ParentDomain.com
The groups (in ParentDomain.com) that were broken were groups that contained user accounts from the trusted forest (SourceDomain.com) and those user accounts were migrated to the child domain with SID History enabled.
I could replicate the problem in PowerShell with the Get-ADGroupMember. If the group contained a user account from the trusted forest that I had migrated to the child domain, Get-ADGroupMember fails with "Get-adgroupmember : An unspecified error has occurred
At line:1 char:1
If I remove the user from the group, Get-ADGroupMember works. Add it back, it fails. This is a domain local group and the user account is the original account from the trusted forest.
Through testing I discovered if I migrate a user without SID History, it does not break Get-ADGroupMember.
My desire is to migrate the users with SID History and not break our existing domain local groups. Any suggestions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Jay Griffin ,
,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello @Jay Griffin ,
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello
Thank you for posting here.
Maybe the link blow explains the situation you mentioned, it seems it is by design. But you do not need to perfom the solution.
Get-ADGroupMember returns error for domain local group to members from remote forests
https://support.microsoft.com/en-us/help/3171600/get-adgroupmember-returns-error-for-domain-local-group-to-members-from
And I did two tests in my lab:
Two forests (Fabrikam.com and a.com) have two-way forest trust.
Test one
Fabrikam.com: usertest3
A.com: group1 (usertest3 is the member in group1)
I migrate usertest3 with SID history in fabrikam.com to a.com, then I run the command below on DC in domain named a.com, I have the same error as you.
But I can logon machine with usertest3 in fabrikam successfully.
Test two
Fabrikam.com: u3
A.com: group1 (u3 is the member in group1)
I deleted u3 in fabrikam.com. Then run command on DC in domain named a.com:
Best Regards,
Daisy Zhou
Thank you for the detailed response. The problem is I have not deleted the user in the Source domain --- it still exists. According to the article you linked, this problem happens when the user is deleted from the source domain.
My desire is the migrate the users and groups prior to the cutover to the new domain. Do some of the setup / configuration things I need to do prior to the migration. We will not remove from the source domain until the after the cutover.
I guess I am going to solve this by migrating my users without SID History. I thought I might need it, but ADMT changes file ownership on servers when they are migrated and we won't be accessing anything in the old domain.
Any issues I should be concerned about if I don't migrate SID History?
Hello @Jay Griffin ,
Thank you for your update.
Sure, I understand that you do not want to remove the users in source domain. Would you please tell us what issue you have except Get-ADGroupMember failure?
It seems the important (or the only) issue is the migrated users in the new domain can not access the resource in the old domain without SID history.
For more information, we can refer to the link below.
Security Considerations for Trusts
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)?redirectedfrom=MSDN
Meanwhile, we can get AD group (the domain local group with users in source domain) in target domain (Child.ParentDomain.com) with command below (the display name of migrated users are SID in source domain instead of friendly display name).
Get-ADGroup -Identity <group name> -Properties Members -Server<DC name> | Select-Object -ExpandProperty Members | Get-ADObject -Server <DC name>
For example:
Get-ADGroup -Identity group1 -Properties Members -Server 2019standard | Select-Object -ExpandProperty Members | Get-ADObject -Server 2019standard
Best Regards,
Daisy Zhou