Adding/removing members from another forest or domain to groups in Active Directory
Adding/removing members belonging to the same domain from a group is very simple using AD Powershell cmdlets. All you have to do is pass an identifier (either samAccountName, distinguishedName, securityIdentifier or GUID) of the member and group to one of the membership cmdlets:
· Add-ADGroupMember
· Remove-ADGroupMember
· Add-ADPrincipalGroupMembership
· Remove-ADPrincipalGroupMembership
Example:
C:\PS> Add-ADGroupMember SvcAccPSOGroup -Member SQL01, SQL02 ## Adds the user accounts with SamAccountNames SQL01,SQL02 to the group SvcAccPSOGroup.
C:\PS> Remove-ADPrincipalGroupMembership -Identity "Wilson Pais" -MemberOf "Administrators" ## Remove the user 'Wilson Pais' from the administrators group.
However, when it comes to adding and removing cross-forest or cross-domain members from a group, things become a little difficult. Here is an example of the error message that you would see while trying to do cross-forest/domain operations the regular way:
The issue here is that Add-ADGroupMember cmdlet tries to resolve the identity supplied in its -MemberOf parameter first and then update the group membership. Since the identity supplied in –MemberOf parameter is from ForestBBB the cmdlet fails while trying to resolve the identity against ForestAAA and throws an identity not found exception (ADIdentityNotFoundException).
The correct way to update cross-forest/domain membership is to first fetch the cross-forest/domain object using any of the ADPowershell cmdlets and then supply the fetched object as input to –Members or –MemberOf parameter of the cmdlets.
Example:
If you want to use Add-ADPrincipalGroupMembership cmdlet then first fetch the group object and save it in a variable and then execute Add-ADPrincipalGroupMembership cmdlet targeting ForestBBB.
Here are the commands that are executed in the screenshots above.
PS ForestAAA:\> $forestBBBUser = Get-ADUser swami -Server $forestBBB
PS ForestAAA:\> Add-ADGroupMember Administrators -Members $forestBBBUser
PS ForestAAA:\>
PS ForestAAA:\> $forestAAAGroup = Get-ADGroup Administrators
PS ForestAAA:\> Add-ADPrincipalGroupMembership -Server $forestBBB swami -MemberOf $forestAAAGroup
PS ForestAAA:\> Remove-ADPrincipalGroupMembership -Server $forestBBB swami -MemberOf $forestAAAGroup
Remove members from group
Do you want to remove all the specified member(s) from the specified group(s)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
PS ForestAAA:\>
PS ForestAAA:\>
The reason why the above commands work is that ADPowershell cmdlets stores session information in the objects returned.
The variable $forestBBBUser in the above example contains “server = $forestBBB” in its session information, which is stored internally and is not visible/accessible via command line.
This session information is used by Add-ADGroupMember (and other membership cmdlets) to resolve the identity and add it to the group in $forestAAA.
NOTE: In the above examples I have connected to the forest where the group resides.
Hope this post helps you in managing your group membership via ADPowershell.
Cheers,
Swami
--
Swaminathan Pattabiraman
Developer – Active Directory Powershell Team
Comments
Anonymous
January 17, 2012
The below code can be used as wellpublic static ArrayList EnumerateDomains(){ ArrayList alDomains = new ArrayList(); Forest currentForest = Forest.GetCurrentForest(); DomainCollection myDomains = currentForest.Domains; foreach (Domain objDomain in myDomains) { alDomains.Add(objDomain.Name); } return alDomains;}http://www.lepide.com/Anonymous
June 05, 2012
The comment has been removedAnonymous
August 09, 2012
thanks for sharing this.This is working for adding user from remote forest to local forest's group, but it seems it does not work for adding group from remote forest to local forest group. From the error message, it is still trying to find the remote group DN from local forest domain NC inside AD. Trying to add forestAGroup to ForestB's builtin administrators group:$ForestAGroup = Get-ADGroup "ForestAGroup" -Server ForestA $ForestBBuildinAdministraotrsGroup = Get-ADGroup "Administrators" -Server ForestBAdd-ADGroupMember $ForestBBuildinAdministraotrsGroup -Members $ForestAGroup.DistinguishedNameIs that because Get-ADGroup's session information does not contain the "Server=ForestA " ?Any other solutions? ThanksAnonymous
November 29, 2012
For removing users it seems does'nt work. In my environment it fails. This is my code:$probeta = get-aduser "probeta" -server ServerDomainB$Grupo = get-adgroup "Grouper" -server ServerDomainARemove-ADGroupMember $Grupo -Members $probeta -server ServerDomainAResult: Remove-ADGroupMember :Specied account name does not belongs to group.Anonymous
December 07, 2012
Hello,I think Remove-ADGroupMember AD-PowerShell has a bug with parent and child domain Scenario, but worked find with 2x forest Scenario.Please check this link:social.technet.microsoft.com/.../b44c5459-b89a-4e7a-bb6f-3cd002635676But Remove-QADGroupMember QUEST Active Directory command worked fine.RegardsAnonymous
October 14, 2013
Cross domain support in the AD cmdlets is essentially appalling.I've just written a script to remove expired users from groups and those groups exist cross forest. In order to do this in a script that runs against many users I've had to use multiple try catches to make it work.try domain1 catch try domain2 catch etc.This script also works against mailboxes, with exchange 2010 I can run one cmdlet to work cross forest: set-adserversettings -viewentireforest $truePlease sort this for the AD cmdlets.Please note that with the get cmdlets you can get away with using the GC port, but only if the attributes you want to look at are replicated to the GC. The Set cmdlets, no dice.Anonymous
January 03, 2014
This doesn't seem to work if the User is in Domain A and the group is Domain B.At least I wasn't able to figure it out, when running it in Domain A. Domain A & B are in the same forest.Anonymous
August 29, 2014
The comment has been removedAnonymous
November 15, 2014
How can I adapt this to add a contact in DOMAIN A to a GROUP in Domain B. This works GREAT for USERS, but I can NOT get it to work for CONTACTS....AT ALL...I have tried a hundred different things, but it does NOT like my contact variable.Anonymous
November 19, 2014
Thanks SwamiWorks like a CharmAdding to what you have already mentionedIf the Trust between your Forest is One-WayThe script should be run from the Trusted ForestRunning it from the Trusting Forest will only end up in the error "Server has rejected your credentials"Anonymous
November 25, 2014
found a different method... no matter what I tried, the remove-adgroupmember (and similar) commands just wouldn't work across domains (my situation = two domains within one forest)This worked:$user = get-aduser <username> -server abc.domain.com$group = get-adgroup <group> -server xyz.domain.comSet-ADObject -identity $group -remove @{member=$user.DistinguishedName} -server staff.ad.bond.edu.auAnonymous
December 11, 2014
@Dan Reeder .Wow! Thank you so much! After some intense search, people! this is the answer!!Anonymous
February 02, 2015
@Dan Reeder . Yes, it Works for me. Thanks.Anonymous
March 11, 2015
Set-ADObject worked for me - 2008R2. Thanks.Anonymous
May 29, 2015
Something like this would be nice.add-adgroupmember NameOfGroup -Member domainusernameoradd-adgroupmember NameOfGroup -Member user@domain.netAnonymous
May 29, 2015
This would be nice... add-adgroupmember groupname -member NTAccountName or add-adgroupmember groupname -member UPNAnonymous
September 10, 2015
The problem with this is...it adds the user into the group and displays LOGON NAME not the firstname lastname format you get when using the gui...is there a way to mirror the values shown when using the gui?Anonymous
September 15, 2015
I just did like this: $sourceusers = Get-ADGroupMember -Identity "CN=bbb-users,OU=Security Groups,DC=bbb,DC=domain,DC=com" -Server bbb.domain.com Add-ADGroupMember -Identity "CN=test,OU=Security Groups,DC=aaa,DC=domain,DC=com" -Members $sourceusers