Get-GroupMember

function ConvertFrom-FCP {
    [CmdletBinding()][OutputType([Microsoft.ActiveDirectory.Management.ADObject])]
    param (
        [Parameter(Mandatory, Position = 0, ValueFromPipeline, ValueFromPipelineByPropertyName)][string]$DistinguishedName
    )
    begin {
        if (-not (Get-Variable -Name FCPMa[p] -Scope Script)) { [hashtable]$script:FCPMap = @{ } }
    }
    process {
        trap {
            $script:FCPMap[$SID] = $null
            return
        }
        [string]$SID = $DistinguishedName -replace '\ACN=(S-[-0-9]+).*', '$1'
        if ($script:FCPMap.ContainsKey($SID)) {
            if ($script:FCPMap[$SID]) { $script:FCPMap[$SID] }
        } else {
            [string]$SAM = [System.Security.Principal.SecurityIdentifier]::new($SID).Translate([System.Security.Principal.NTAccount]).Value
            $Domain, $SamAccountName = $SAM -split '\\'
            $SamAccountName = $SamAccountName -replace '\A ', '\20'
            $script:FCPMap[$SID] = Get-ADObject -Filter 'SamAccountName -eq $SamAccountName' -Server $Domain -Property SamAccountName -ErrorAction Ignore
            if ($script:FCPMap[$SID]) { $script:FCPMap[$SID] }
        }
    }
} # function ConvertFrom-FCP

filter Skip-Null { $_ | ? { $_ -ne $null } }

function Get-GroupMember {
    # Gets AD group membership
    [CmdletBinding()]
    param (
        [Parameter(Mandatory, Position = 0)]$Identity,
        [Parameter(Position = 1)][string]$Server
    )
    if (-not (Get-Variable -Name DNMa[p] -Scope Script)) { [hashtable]$Script:DNMap = @{ } }
    $GetADGroupParams = @{ Identity = $Identity; ErrorAction = 'Stop' }
    $GetADObjectParams = @{ ErrorAction = 'Ignore'; Property = 'SamAccountName' }
    if ($PSBoundParameters.ContainsKey('Server')) {
        $GetADGroupParams.Server = $Server
        $GetADObjectParams.Server = $Server
    }
    try {
        # Get-ADGroupMember will fail if the group contains any ForeignSecurityPrincipal objects
        $Members = Get-ADGroupMember @GetADGroupParams
    } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        throw
    } catch {
        # Write-Verbose "Get-ADGroupMember failed. Falling back to Get-ADGroup -Property Member..."
        $Members = Get-ADGroup @GetADGroupParams -Properties Member | Select-Object -ExpandProperty Member | % {
            trap { return }
            if (-not $DNMap.ContainsKey($_)) {
                $DNMap[$_] = Get-ADObject -Identity $_ @GetADObjectParams
            }
            $DNMap[$_]
        } | Skip-Null
    }
    $Members = $Members | % {
        [PSCustomObject]@{
            SamAccountName = $_ | Select-Object SamAccountName | Select-Object -ExpandProperty SamAccountName
            DistinguishedName = $_.DistinguishedName
            ObjectClass = $_.ObjectClass
        }
    }
    # The following is an attempt to prevent the FCP process from taking too long, as can happen
    # when the domain containing the account is not responding.
    # Set the limit to 2 seconds per lookup, which should be more than enough
    $FCPMaxSeconds = [System.Math]::Min(((@($Members | ? ObjectClass -EQ 'foreignSecurityPrincipal').Count + 1) * 2), 150)
    $Timer = [System.Diagnostics.Stopwatch]::StartNew()
    $Members | ? ObjectClass -EQ 'foreignSecurityPrincipal' -pv One |
    ? { $Timer.Elapsed.TotalSeconds -le $FCPMaxSeconds } |
    ConvertFrom-FCP | % {
        $One.SamAccountName = $_ | Select-Object SamAccountName | Select-Object -ExpandProperty SamAccountName
        $One.DistinguishedName = $_.DistinguishedName
        $One.ObjectClass = $_.ObjectClass
    }
    $Members | ? ObjectClass -NE 'foreignSecurityPrincipal'
}