Get-ADGroupMember returns error for domain local group to members from remote forests


Assume that you use the Get-ADGroupMember cmdlet to identify the members of a group in Active Directory Domain Services (AD DS). However, when you run the cmdlet for a domain local group, the following error is returned:

Get-ADGroupMember -verbose -identity "CN=Test-Local1,OU=Test Accounts,DC=contoso,DC=com"

Get-ADGroupMember : An unspecified error has occurred

At line:1 char:1

+ Get-ADGroupMember -verbose -identity "CN=Test-Local1,OU=Test Accounts,DC=contoso ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=Test-Local1,...bertm-w7,DC=com:ADGroup) [Get-ADGroupMember], ADExcepti

onon    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember


This issue occurs if the group has a member from another forest whose account has been removed from the account forest. The member is represented in the local domain by a Foreign Security Principal (FSP). In the LDIFDE export of the group, a membership is shown as follows:
dn: CN=Test-Local1,OU=Test Accounts,DC=contoso,DC=com




When the source account with the SID is deleted, the FSP is not updated or removed to reflect this deletion. You must manually verify that these FSP references are removed.


To resolve this issue, enable logging for the resolution requests that concern these SIDs and that are performed by the Active Directory Webservice. In this way, you can identify the accounts that fail resolution. To do this, run the Get-ADGroupMember cmdlet on the domain controller of (where the placeholder represents the domain in question).

To enable logging, run the following command lines:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force 

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force

Please remember turning the logging off when you have the log:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
You will see a file that's named c:\windows\debug\lsp.log, which tracks the SID-Name resolution attempts. When you rerun the cmdlet on the domain controller where the cmdlet was executed, the file will log the failures and will resemble the following:

LspDsLookup - Entering function LsapLookupSidsLspDsLookup - LookupSids request for 1 SIDs with level=1, mappedcount=0, options=0x0, clientRevision=2 is being processed. SIDs are;LspDsLookup -         Sids[ 0 ] = S-1-5-21-3110691720-3620623707-1182478234-698540LspDsLookup -   Requestor details: Local Machine, Process ID = 1408, Process Name = C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeLspDsLookup - Entering function LsapDbLookupSidsUsingIdentityCacheLspDsLookup - 1 sids remain unmappedLspDsLookup - Exiting function LsapDbLookupSidsUsingIdentityCache with status 0x0LspDsLookup - LookupSids chain request (using Netlogon) to \\ for 1 sids will be made with level=6, mappedcount=0, options=0x0, serverRevision=0. Sids are;LspDsLookup -         Sids[ 0 ] = S-1-5-21-3110691720-3620623707-1182478234-698540LspDsLookup - Lookup request (using Netlogon) to \\ returned with 0xc0000073 and mappedcount=0, serverRevision=0LspDsLookup - Exiting function LsapLookupSids with status 0xc0000073
Check for the following items to verify that this is the relevant section for this problem (in the preceding sample output):
  • The process is C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.
  • The request is sent to a domain controller in a different forest—for example,
  • The return code is 0xc0000073, which equals STATUS_NONE_MAPPED.

To find the FSP object, run the following command (replace domain names and SIDs):
get-AdObject -Searchbase "CN=ForeignSecurityPrincipals,DC=contoso,DC=com" -ldapfilter "(cn=S-1-5-21-3110691720-3620623707-1182478234-698540)"

The original object for this FSP no longer exists, so you can safely delete it. Doing this will also remove it from all groups that it's a member of:

get-AdObject -Searchbase "CN=ForeignSecurityPrincipals,DC=contoso,DC=com" -ldapfilter "(cn=S-1-5-21-3110691720-3620623707-1182478234-698540)" | Remove-AdObject -Confirm:$false


ID Artikel: 3171600 - Tinjauan Terakhir: 23 Jun 2016 - Revisi: 1