I was working on automating few Active directory groups using powershell, I encountered a issue where my scripting solution was running in one domain
but the group resides in another domain. Below powershell command was resulting in error as by default AD module searches on the domain from which it is running.
- First step is to get the user object using AD module get-aduser command and direct it to the domain where the it exists.
$getmemberobject = get-aduser -Filter “UserPrincipalName -eq ‘$upn'” -server $domainwhereexists
- Second step is to get the group object in the same way using get-adgroup direct it to the domain using the server parameter.
$getgroupobject = get-adgroup -identity $groupinparticulardoamin -server $domainwhereexists
- Ones above two steps are done, you can use your ADD-ADGroupmember cmdlet like below with distinguished name properties and directing it to the domain where this operation should happen.
Add-ADGroupMember -identity $getgroupobject.DistinguishedName -members $getmemberobject.DistinguishedName -server $domainwhereexists
Update: 9/29/202 as tested by Aston, use object instead of property (as many have encountered errors using the property)
Add-ADGroupMember -identity $getgroupobject -members $getmemberobject -server $domainwhereexists
Tech Wizard 
I have two domain with one-way trust relationship. I can get the member object and group object. But in the last command I got error:
Add-ADGroupMember : Cannot find an object with identity: ‘CN=xxxx ….. under: ‘DC=DOMAIN,DC=COM’.
Is it expected result and any work around? Thanks.
I got the same error as @legendgod after following steps.
Add-ADGroupMember : Cannot find an object with identity:
Are you able to add members using gui , by changing domain from ad users and computers ?
I am able to add member using GUI by changing the domain. But I got the same error.
Its strange as its working fine for me using dn and pointing to the destination domain..
Add-ADGroupMember -identity $getgroupobject.DistinguishedName -members $getmemberobject.DistinguishedName -server $domainwhereexists
Same error for me. I am following the above steps to drop the objects into variables then using the properties of each object to try and join it to the group but it fails saying it cannot find the object under the domain where the group exists.
Are you getting group as well as member point the server parameter to the domain where it exists ?
I will try again to simulate it but I did it for one of the customers with multi domain trusted env and its working as not heard any complains..
I got the same error messages as everyone else here. But I got around it by not dot-walking to .distinguishedName, which would just be getting the field value rather than the object. That’s unnecessary seeing as getting the object itself works for -identity.
So instead my last line was just:
Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject
Complete script for adding people to a cross-domain group from a
import-module ActiveDirectory
$CSVPath = “C:\Reports\Test users.csv”
$GroupName = ‘Group-Name-Here’
Import-Csv -Path $CSVPath | ForEach-Object {
$GetMemberObject = Get-ADUser -Identity $_.distinguishedName -server userdomain.com
$GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com
Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject
}
Good as other are looking at the answer and I was not getting time to look at it..will update the post..
I suppose I should add, for the newbies, that the CSV has a column with a header of ‘distinguishedName’, which is what $_.distinguishedName refers to.
You could make the column name whatever you want in the CSV, just refer to it as $_.columnname after importing the CSV.
Hi Aston. Thanks for your information sharing.
I have a question. How I can add group to the same group in different domain ?
Many thanks.
Hey Elizabet
Add-ADGroupMember accepts users, groups and computer objects under the -member parameter. I would imagine that the below would work. The literal only thing I changed is Get-ADUser to Get-ADGroup and you’d search for the group distinguished names instead of user distinguished names:
$CSVPath = “C:\Reports\Test users.csv”
$GroupName = ‘Group-Name-Here’
Import-Csv -Path $CSVPath | ForEach-Object {
$GetMemberObject = Get-ADGroup -Identity $_.distinguishedName -server membergroupdomain.com
$GetGroupObject = Get-ADGroup -Identity $GroupName -server groupdomain.com
Add-ADGroupMember -Identity $GetGroupObject -Members $GetMemberObject
}
While copying the text from the script to PowerShell, the quotes around the string where changed to another ASCII value. Resulting in an empty filter result.
You can avoid this by replacing the single quotes around $upn. Or by using the following line instead:
$getmemberobject = get-aduser -Filter {(UserPrincipalName -eq $upn)} -server $domainwhereexists
Hi guys,
What if before adding the users to the group you need to check if they’re already members? What will the syntax be in this case?
thanks,
Adrian
You can use Get-ADUserMemberOf function from vs admin module, or use below same code: (change it as per domain paramters — its just a smaple.)
$GroupDN = (Get-ADGroup $Group).DistinguishedName
$UserDN = (Get-ADUser $User).DistinguishedName
$Getaduser = Get-ADUser -Filter “memberOf -RecursiveMatch ‘$GroupDN'” -SearchBase $UserDN
If($Getaduser) {
$true
}
Else {
$false
}
}
catch{
}
Hello Adrian. You can read the current groupmembers first and put in an array. And the check with the “-contains” option if a user is already in the group.
$MyGroup = “MyADGroup” #Example
$DN = “OU=Domain Users,OU=Users” #Example
$GroupMembers = get-adgroup -Identity $MyGroup -Properties Members
$MyMembers = $GroupMembers.Members
[Array]$myUsers = @()
$user = “”
$myUsers = (Get-ADUser -Filter{(Enabled -eq $true)} -SearchBase $DN) #Example
foreach ($user in $myUsers){
if ($MyMembers -contains $user.DistinguishedName) {
#Do noting
Write-Host -Fore Yellow “Allready there ” $user.CN
}
else{
#Add user to group here
}
}