# Get-DomainForeignUser ## SYNOPSIS Enumerates users who are in groups outside of the user's domain. This is a domain's "outgoing" access. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: Get-Domain, Get-DomainUser ## SYNTAX ``` Get-DomainForeignUser [[-Domain] ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] ``` ## DESCRIPTION Uses Get-DomainUser to enumerate all users for the current (or target) domain, then calculates the given user's domain name based on the user's distinguishedName. This domain name is compared to the queried domain, and the user object is output if they differ. ## EXAMPLES ### -------------------------- EXAMPLE 1 -------------------------- ``` Get-DomainForeignUser ``` Return all users in the current domain who are in groups not in the current domain. ### -------------------------- EXAMPLE 2 -------------------------- ``` Get-DomainForeignUser -Domain dev.testlab.local ``` Return all users in the dev.testlab.local domain who are in groups not in the dev.testlab.local domain. ### -------------------------- EXAMPLE 3 -------------------------- ``` $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force ``` $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred Return all users in the dev.testlab.local domain who are in groups not in the dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and using the specified alternate credentials. ## PARAMETERS ### -Domain Specifies the domain to use for the query, defaults to the current domain. ```yaml Type: String Parameter Sets: (All) Aliases: Name Required: False Position: 1 Default value: None Accept pipeline input: True (ByPropertyName, ByValue) Accept wildcard characters: False ``` ### -LDAPFilter Specifies an LDAP query string that is used to filter Active Directory objects. ```yaml Type: String Parameter Sets: (All) Aliases: Filter Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -Properties Specifies the properties of the output object to retrieve from the server. ```yaml Type: String[] Parameter Sets: (All) Aliases: Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -SearchBase The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" Useful for OU queries. ```yaml Type: String Parameter Sets: (All) Aliases: ADSPath Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -Server Specifies an Active Directory server (domain controller) to bind to. ```yaml Type: String Parameter Sets: (All) Aliases: DomainController Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -SearchScope Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). ```yaml Type: String Parameter Sets: (All) Aliases: Required: False Position: Named Default value: Subtree Accept pipeline input: False Accept wildcard characters: False ``` ### -ResultPageSize Specifies the PageSize to set for the LDAP searcher object. ```yaml Type: Int32 Parameter Sets: (All) Aliases: Required: False Position: Named Default value: 200 Accept pipeline input: False Accept wildcard characters: False ``` ### -ServerTimeLimit Specifies the maximum amount of time the server spends searching. Default of 120 seconds. ```yaml Type: Int32 Parameter Sets: (All) Aliases: Required: False Position: Named Default value: 0 Accept pipeline input: False Accept wildcard characters: False ``` ### -SecurityMasks Specifies an option for examining security information of a directory object. One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. ```yaml Type: String Parameter Sets: (All) Aliases: Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -Tombstone Switch. Specifies that the searcher should also return deleted/tombstoned objects. ```yaml Type: SwitchParameter Parameter Sets: (All) Aliases: Required: False Position: Named Default value: False Accept pipeline input: False Accept wildcard characters: False ``` ### -Credential A \[Management.Automation.PSCredential\] object of alternate credentials for connection to the target domain. ```yaml Type: PSCredential Parameter Sets: (All) Aliases: Required: False Position: Named Default value: [Management.Automation.PSCredential]::Empty Accept pipeline input: False Accept wildcard characters: False ``` ## INPUTS ## OUTPUTS ### PowerView.ForeignUser Custom PSObject with translated user property fields. ## NOTES ## RELATED LINKS