PowerShell TIP – Add members to a group in different domain

I was working on automating few Active directory groups using powershell, I encountered a issue where my scripting solution was running in one domain

but the group resides in another domain. Below powershell command was resulting in error as by default AD module searches on the domain from which it is running.

Add-ADGroupMember -identity “groupName” -members “userid”
Even if you are using Distinguished Name than also same error is encountered.
Here is the TIP that you can use to avoid this error. This is 3 step process than you need to implant in your script to get it rolling.


  • First step is to get the user object using AD module get-aduser command and direct it to the domain where the it exists.

$getmemberobject = get-aduser -Filter “UserPrincipalName -eq ‘$upn'” -server $domainwhereexists

  • Second step is to get the group object in the same way using get-adgroup direct it to the domain using the server parameter.

$getgroupobject = get-adgroup -identity $groupinparticulardoamin -server $domainwhereexists


  • Ones above two steps are done, you can use your ADD-ADGroupmember cmdlet like below with distinguished name properties and directing it to the domain where this operation should happen.

Add-ADGroupMember -identity $getgroupobject.DistinguishedName -members $getmemberobject.DistinguishedName -server $domainwhereexists

Update: 9/29/202 as tested by Aston, use object instead of property (as many have encountered errors using the property)

Add-ADGroupMember -identity $getgroupobject -members $getmemberobject -server $domainwhereexists

By following above you can work in multi domain environment using the native Active Directory powerShell module.
I hope this TIP will resolve the issue, if you are developing a solution and are in similar situation.


I have tested the approach in parent child domain but I am sure this will work in other Active directory forest Scenarios.



Thanks for reading


Sukhija Vikas

17 thoughts on “PowerShell TIP – Add members to a group in different domain

  1. I have two domain with one-way trust relationship. I can get the member object and group object. But in the last command I got error:

    Add-ADGroupMember : Cannot find an object with identity: ‘CN=xxxx ….. under: ‘DC=DOMAIN,DC=COM’.

    Is it expected result and any work around? Thanks.

  2. Same error for me. I am following the above steps to drop the objects into variables then using the properties of each object to try and join it to the group but it fails saying it cannot find the object under the domain where the group exists.

  3. I got the same error messages as everyone else here. But I got around it by not dot-walking to .distinguishedName, which would just be getting the field value rather than the object. That’s unnecessary seeing as getting the object itself works for -identity.

    So instead my last line was just:
    Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject

    Complete script for adding people to a cross-domain group from a
    import-module ActiveDirectory

    $CSVPath = “C:\Reports\Test users.csv”

    $GroupName = ‘Group-Name-Here’

    Import-Csv -Path $CSVPath | ForEach-Object {
    $GetMemberObject = Get-ADUser -Identity $_.distinguishedName -server userdomain.com
    $GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com

    Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject

    • I suppose I should add, for the newbies, that the CSV has a column with a header of ‘distinguishedName’, which is what $_.distinguishedName refers to.

      You could make the column name whatever you want in the CSV, just refer to it as $_.columnname after importing the CSV.

      • Hey Elizabet

        Add-ADGroupMember accepts users, groups and computer objects under the -member parameter. I would imagine that the below would work. The literal only thing I changed is Get-ADUser to Get-ADGroup and you’d search for the group distinguished names instead of user distinguished names:

        $CSVPath = “C:\Reports\Test users.csv”

        $GroupName = ‘Group-Name-Here’

        Import-Csv -Path $CSVPath | ForEach-Object {
        $GetMemberObject = Get-ADGroup -Identity $_.distinguishedName -server membergroupdomain.com
        $GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com

        Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject

  4. While copying the text from the script to PowerShell, the quotes around the string where changed to another ASCII value. Resulting in an empty filter result.
    You can avoid this by replacing the single quotes around $upn. Or by using the following line instead:
    $getmemberobject = get-aduser -Filter {(UserPrincipalName -eq $upn)} -server $domainwhereexists

  5. Hi guys,

    What if before adding the users to the group you need to check if they’re already members? What will the syntax be in this case?


    • You can use Get-ADUserMemberOf function from vs admin module, or use below same code: (change it as per domain paramters — its just a smaple.)
      $GroupDN = (Get-ADGroup $Group).DistinguishedName
      $UserDN = (Get-ADUser $User).DistinguishedName
      $Getaduser = Get-ADUser -Filter “memberOf -RecursiveMatch ‘$GroupDN'” -SearchBase $UserDN
      If($Getaduser) {
      Else {


    • Hello Adrian. You can read the current groupmembers first and put in an array. And the check with the “-contains” option if a user is already in the group.

      $MyGroup = “MyADGroup” #Example
      $DN = “OU=Domain Users,OU=Users” #Example
      $GroupMembers = get-adgroup -Identity $MyGroup -Properties Members
      $MyMembers = $GroupMembers.Members
      [Array]$myUsers = @()
      $user = “”

      $myUsers = (Get-ADUser -Filter{(Enabled -eq $true)} -SearchBase $DN) #Example

      foreach ($user in $myUsers){
      if ($MyMembers -contains $user.DistinguishedName) {
      #Do noting
      Write-Host -Fore Yellow “Allready there ” $user.CN
      #Add user to group here

Leave a Reply to Tech Wizard (Sukhija Vikas) Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s