Need help. Cross domain users fails when bulk addded to universal sec groups

LaurB 1 Reputation point
2022-09-16T15:40:55.59+00:00

This is the script I am using and is falling with error: Add-ADGroupMember : The server is unwilling to process the request

Import AD Module

Import-Module ActiveDirectory

Import the data from CSV file and assign it to variable

$List = Import-Csv "C:\Temp\Test.csv"

Foreach ($User in $List) {
# Retrieve UserSamAccountName and ADGroup
$UserSam = $User.SamAccountName
$Groups = $User.Group

# Retrieve SamAccountName and ADGroup  
$ADUser = Get-ADUser -Filter "SamAccountName -eq '$UserSam'" -Server  "fqdn of GC:3268" | Select-Object SamAccountName  
$ADGroups = Get-ADGroup -Filter * | Select-Object Name  

# User does not exist in AD  
if ($ADUser -eq $null) {  
    Write-Host "$UserSam does not exist in AD" -ForegroundColor Red  
    Continue  
}  
# User does not have a group specified in CSV file  
if ($Groups -eq $null) {  
    Write-Host "$UserSam has no group specified in CSV file" -ForegroundColor Yellow  
    Continue  
}  
# Retrieve AD user group membership  
$ExistingGroups = Get-ADPrincipalGroupMembership $UserSam | Select-Object Name  

foreach ($Group in $Groups.Split(';')) {  
    # Group does not exist in AD  
    if ($ADGroups.Name -notcontains $Group) {  
        Write-Host "$Group group does not exist in AD" -ForegroundColor Red  
        Continue  
    }  
    # User already member of group  
    if ($ExistingGroups.Name -eq $Group) {  
        Write-Host "$UserSam already exists in group $Group" -ForeGroundColor Yellow  
    }   
    else {  
        # Add user to group  
        Add-ADGroupMember -Identity $Group -Members $UserSam -Server  "fqdn of GC:3268"  
        Write-Host "Added $UserSam to $Group" -ForeGroundColor Green  
    }  
}  

}

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,504 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Rich Matheisen 46,551 Reputation points
    2022-09-16T19:13:26.253+00:00

    Do you really mean Cross-DOMAIN (i.e., in the same AD Forest), or Cross-FOREST (i.e., from a domain in a different AD Forest)?

    If they're from a different AD FOREST you'll have to add those users to a Domain Local group in your domain(s).

    But why ask a question about group membership (which PowerShell has nothing to do with) in a PowerShell group instead of an AD group??? It's the AD that dictates the rules!

    0 comments No comments

  2. LaurB 1 Reputation point
    2022-09-16T19:21:03.8+00:00

    Rich, I am trying to add members from cross-domain same forest into multiple universal security groups, The script is fine to add members from same domain but if a member in the csv is from a different domain I got the error I mentioned: This is the script I am using and is falling with error: Add-ADGroupMember : The server is unwilling to process the request**

    Add-ADGroupMember : The server is unwilling to process the request
    At C:\Scripts\AddMembersToGroupsFromList.ps1:44 char:13

    • Add-ADGroupMember -Identity $Group -Members $UserSam -Ser ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (SP-STL-IT-GRN-Visitors:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
    • FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
    0 comments No comments

  3. Andreas Baumgarten 107.9K Reputation points MVP
    2022-09-16T19:36:01.66+00:00

    As far as I know the Global Catalog is read-only. You could try dc name for the Add-ADGroupMember
    Please modify this line:

    # From:  
    Add-ADGroupMember -Identity $Group -Members $UserSam -Server  "fqdn of GC:3268"  
      
    # To:  
    Add-ADGroupMember -Identity $Group -Members $UserSam -Server  "fqdn of DC"  
    

    Maybe this helps as well: https://learn.microsoft.com/en-us/powershell/module/activedirectory/add-adgroupmember?view=windowsserver2022-ps#example-4-add-a-user-from-a-domain-to-a-group-in-another-domain

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten


  4. Rich Matheisen 46,551 Reputation points
    2022-09-16T19:59:44.557+00:00

    @Andreas Baumgarten is correct: you cannot write to a GC. The GC contains only a select set of attributes for each object class, and those are replicated from domain controllers and other global catalog servers.

    I'd also caution you to select ONE DC in each domain to work with. This is because your PowerShell script will work more quicky that AD replication, and PowerShell may (and very often does) select a different DC/GC for each cmdlet. You may update on DC and then query another DC (or GC) before the change has replicated -- that will give you an incorrect answer if your script depends on an update made earlier in the script. You can't depend on an update you made to a DC in one domain (or even in the same domain) to appear in a GC immediately (or even within several minutes -- or perhaps longer if you have multiple AD sites).


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.