PowerShell TIP – Add members to a group in different domain

I was working on automating few Active directory groups using powershell, I encountered a issue where my scripting solution was running in one domain

but the group resides in another domain. Below powershell command was resulting in error as by default AD module searches on the domain from which it is running.

Add-ADGroupMember -identity “groupName” -members “userid”
Even if you are using Distinguished Name than also same error is encountered.
Here is the TIP that you can use to avoid this error. This is 3 step process than you need to implant in your script to get it rolling.

 

  • First step is to get the user object using AD module get-aduser command and direct it to the domain where the it exists.

$getmemberobject = get-aduser -Filter “UserPrincipalName -eq ‘$upn'” -server $domainwhereexists

  • Second step is to get the group object in the same way using get-adgroup direct it to the domain using the server parameter.

$getgroupobject = get-adgroup -identity $groupinparticulardoamin -server $domainwhereexists

 

  • Ones above two steps are done, you can use your ADD-ADGroupmember cmdlet like below with distinguished name properties and directing it to the domain where this operation should happen.

Add-ADGroupMember -identity $getgroupobject.DistinguishedName -members $getmemberobject.DistinguishedName -server $domainwhereexists

Update: 9/29/202 as tested by Aston, use object instead of property (as many have encountered errors using the property)

Add-ADGroupMember -identity $getgroupobject -members $getmemberobject -server $domainwhereexists

By following above you can work in multi domain environment using the native Active Directory powerShell module.
I hope this TIP will resolve the issue, if you are developing a solution and are in similar situation.

 

I have tested the approach in parent child domain but I am sure this will work in other Active directory forest Scenarios.

 

 

Thanks for reading

 

Sukhija Vikas

13 thoughts on “PowerShell TIP – Add members to a group in different domain

  1. I have two domain with one-way trust relationship. I can get the member object and group object. But in the last command I got error:

    Add-ADGroupMember : Cannot find an object with identity: ‘CN=xxxx ….. under: ‘DC=DOMAIN,DC=COM’.

    Is it expected result and any work around? Thanks.

  2. Same error for me. I am following the above steps to drop the objects into variables then using the properties of each object to try and join it to the group but it fails saying it cannot find the object under the domain where the group exists.

  3. I got the same error messages as everyone else here. But I got around it by not dot-walking to .distinguishedName, which would just be getting the field value rather than the object. That’s unnecessary seeing as getting the object itself works for -identity.

    So instead my last line was just:
    Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject

    Complete script for adding people to a cross-domain group from a
    import-module ActiveDirectory

    $CSVPath = “C:\Reports\Test users.csv”

    $GroupName = ‘Group-Name-Here’

    Import-Csv -Path $CSVPath | ForEach-Object {
    $GetMemberObject = Get-ADUser -Identity $_.distinguishedName -server userdomain.com
    $GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com

    Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject
    }

    • I suppose I should add, for the newbies, that the CSV has a column with a header of ‘distinguishedName’, which is what $_.distinguishedName refers to.

      You could make the column name whatever you want in the CSV, just refer to it as $_.columnname after importing the CSV.

      • Hey Elizabet

        Add-ADGroupMember accepts users, groups and computer objects under the -member parameter. I would imagine that the below would work. The literal only thing I changed is Get-ADUser to Get-ADGroup and you’d search for the group distinguished names instead of user distinguished names:

        $CSVPath = “C:\Reports\Test users.csv”

        $GroupName = ‘Group-Name-Here’

        Import-Csv -Path $CSVPath | ForEach-Object {
        $GetMemberObject = Get-ADGroup -Identity $_.distinguishedName -server membergroupdomain.com
        $GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com

        Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject
        }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s