Dela via


Adding/removing members from another forest or domain to groups in Active Directory

Adding/removing members belonging to the same domain from a group is very simple using AD Powershell cmdlets. All you have to do is pass an identifier (either samAccountName, distinguishedName, securityIdentifier or GUID) of the member and group to one of the membership cmdlets:

· Add-ADGroupMember

· Remove-ADGroupMember

· Add-ADPrincipalGroupMembership

· Remove-ADPrincipalGroupMembership

Example:

 C:\PS> Add-ADGroupMember SvcAccPSOGroup -Member SQL01, SQL02   ## Adds the user accounts with SamAccountNames SQL01,SQL02 to the group SvcAccPSOGroup.

C:\PS> Remove-ADPrincipalGroupMembership -Identity "Wilson Pais" -MemberOf "Administrators" ## Remove the user 'Wilson Pais' from the administrators group.

However, when it comes to adding and removing cross-forest or cross-domain members from a group, things become a little difficult. Here is an example of the error message that you would see while trying to do cross-forest/domain operations the regular way:

image

The issue here is that Add-ADGroupMember cmdlet tries to resolve the identity supplied in its -MemberOf parameter first and then update the group membership. Since the identity supplied in –MemberOf parameter is from ForestBBB the cmdlet fails while trying to resolve the identity against ForestAAA and throws an identity not found exception (ADIdentityNotFoundException).

The correct way to update cross-forest/domain membership is to first fetch the cross-forest/domain object using any of the ADPowershell cmdlets and then supply the fetched object as input to –Members or –MemberOf parameter of the cmdlets.

Example:

image

If you want to use Add-ADPrincipalGroupMembership cmdlet then first fetch the group object and save it in a variable and then execute Add-ADPrincipalGroupMembership cmdlet targeting ForestBBB.

image

Here are the commands that are executed in the screenshots above.

 PS ForestAAA:\> $forestBBBUser = Get-ADUser swami -Server $forestBBB
PS ForestAAA:\> Add-ADGroupMember Administrators -Members $forestBBBUser
PS ForestAAA:\>
PS ForestAAA:\> $forestAAAGroup = Get-ADGroup Administrators
PS ForestAAA:\> Add-ADPrincipalGroupMembership -Server $forestBBB swami -MemberOf $forestAAAGroup
PS ForestAAA:\> Remove-ADPrincipalGroupMembership -Server $forestBBB swami -MemberOf $forestAAAGroup

Remove members from group
Do you want to remove all the specified member(s) from the specified group(s)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
PS ForestAAA:\>
PS ForestAAA:\>

The reason why the above commands work is that ADPowershell cmdlets stores session information in the objects returned.

      The variable $forestBBBUser in the above example contains “server = $forestBBB” in its session information, which is stored internally and is not visible/accessible via command line.

This session information is used by Add-ADGroupMember (and other membership cmdlets) to resolve the identity and add it to the group in $forestAAA.

NOTE: In the above examples I have connected to the forest where the group resides.

Hope this post helps you in managing your group membership via ADPowershell.

 

Cheers,

Swami

--

Swaminathan Pattabiraman

Developer – Active Directory Powershell Team

Comments

  • Anonymous
    January 17, 2012
    The below code can be used as wellpublic static ArrayList EnumerateDomains(){   ArrayList alDomains = new ArrayList();   Forest currentForest = Forest.GetCurrentForest();   DomainCollection myDomains = currentForest.Domains;   foreach (Domain objDomain in myDomains)   {       alDomains.Add(objDomain.Name);   }   return alDomains;}http://www.lepide.com/

  • Anonymous
    June 05, 2012
    The comment has been removed

  • Anonymous
    August 09, 2012
    thanks for sharing this.This is working for adding user from remote forest to local forest's group, but it seems it does not work for adding group from remote forest to local forest group. From the error message, it is still trying to find the remote group DN from local forest domain NC inside AD.  Trying to add forestAGroup to ForestB's builtin administrators group:$ForestAGroup = Get-ADGroup "ForestAGroup" -Server ForestA    $ForestBBuildinAdministraotrsGroup = Get-ADGroup "Administrators" -Server ForestBAdd-ADGroupMember $ForestBBuildinAdministraotrsGroup -Members $ForestAGroup.DistinguishedNameIs that because Get-ADGroup's session information does not contain  the "Server=ForestA " ?Any other solutions? Thanks

  • Anonymous
    November 29, 2012
    For removing users it seems does'nt work. In my environment it fails. This is my code:$probeta = get-aduser "probeta" -server ServerDomainB$Grupo = get-adgroup "Grouper" -server ServerDomainARemove-ADGroupMember $Grupo -Members $probeta -server ServerDomainAResult: Remove-ADGroupMember :Specied account name does not belongs to group.

  • Anonymous
    December 07, 2012
    Hello,I think Remove-ADGroupMember AD-PowerShell has a bug with parent and child domain Scenario, but worked find with 2x forest Scenario.Please check this link:social.technet.microsoft.com/.../b44c5459-b89a-4e7a-bb6f-3cd002635676But Remove-QADGroupMember QUEST Active Directory command worked fine.Regards

  • Anonymous
    October 14, 2013
    Cross domain support in the AD cmdlets is essentially appalling.I've just written a script to remove expired users from groups and those groups exist cross forest. In order to do this in a script that runs against many users I've had to use multiple try catches to make it work.try domain1 catch try domain2 catch etc.This script also works against mailboxes, with exchange 2010 I can run one cmdlet to work cross forest: set-adserversettings -viewentireforest $truePlease sort this for the AD cmdlets.Please note that with the get cmdlets you can get away with using the GC port, but only if the attributes you want to look at are replicated to the GC. The Set cmdlets, no dice.

  • Anonymous
    January 03, 2014
    This doesn't seem to work if the User is in Domain A and the group is Domain B.At least I wasn't able to figure it out, when running it in Domain A. Domain A & B are in the same forest.

  • Anonymous
    August 29, 2014
    The comment has been removed

  • Anonymous
    November 15, 2014
    How can I adapt this to add a contact in DOMAIN A to a GROUP in Domain B.  This works GREAT for USERS, but I can NOT get it to work for CONTACTS....AT ALL...I have tried a hundred different things, but it does NOT like my contact variable.

  • Anonymous
    November 19, 2014
    Thanks SwamiWorks like a CharmAdding to what you have already mentionedIf the Trust between your Forest is One-WayThe script should be run from the Trusted ForestRunning it from the Trusting Forest will only end up in the error "Server has rejected your credentials"

  • Anonymous
    November 25, 2014
    found a different method... no matter what I tried, the remove-adgroupmember (and similar) commands just wouldn't work across domains (my situation = two domains within one forest)This worked:$user = get-aduser <username> -server abc.domain.com$group = get-adgroup <group> -server xyz.domain.comSet-ADObject -identity $group -remove @{member=$user.DistinguishedName} -server staff.ad.bond.edu.au

  • Anonymous
    December 11, 2014
    @Dan Reeder .Wow! Thank you so much! After some intense search, people! this is the answer!!

  • Anonymous
    February 02, 2015
    @Dan Reeder . Yes, it Works for me. Thanks.

  • Anonymous
    March 11, 2015
    Set-ADObject worked for me - 2008R2. Thanks.

  • Anonymous
    May 29, 2015
    Something like this would be nice.add-adgroupmember NameOfGroup -Member domainusernameoradd-adgroupmember NameOfGroup -Member user@domain.net

  • Anonymous
    May 29, 2015
    This would be nice... add-adgroupmember groupname -member NTAccountName or add-adgroupmember groupname -member UPN

  • Anonymous
    September 10, 2015
    The problem with this is...it adds the user into the group and displays LOGON NAME not the firstname lastname format you get when using the gui...is there a way to mirror the values shown when using the gui?

  • Anonymous
    September 15, 2015
    I just did like this: $sourceusers = Get-ADGroupMember -Identity "CN=bbb-users,OU=Security Groups,DC=bbb,DC=domain,DC=com" -Server bbb.domain.com Add-ADGroupMember -Identity "CN=test,OU=Security Groups,DC=aaa,DC=domain,DC=com" -Members $sourceusers