Thursday, November 22, 2018

PowerShell TIP - Add members to a group in different domain.

I was working on automating few Active directory groups using powershell, I encountered a issue where my scripting solution was running in one domain

but the group resides in another domain. Below powershell command was resulting in error as by default AD module searches on the domain from which it is running.

Add-ADGroupMember -identity "groupName" -members "userid"

Even if you are using Distinguished Name than also same error is encountered.

Here is the TIP that you can use to avoid this error. This is 3 step process than you need to implant in your script to get it rolling.


  • First step is to get the user object using AD module get-aduser command and direct it to the domain where the it exists.

$getmemberobject = get-aduser -Filter "UserPrincipalName -eq '$upn'" -server $domainwhereexists

  • Second step is to get the group object in the same way using get-adgroup direct it to the domain using the server parameter.

$getgroupobject =get-adgroup -identity $groupinparticulardoamin -server $domainwhereexists


  • Ones above two steps are done, you can use your ADD-ADGroupmember cmdlet like below with distinguished name properties and directing it to the domain where this operation should happen.

Add-ADGroupMember -identity $getgroupobject.DistinguishedName -members $getmemberobject.DistinguishedName -server$domainwhereexists

By following above you can work in multi domain environment using the native Active Directory powerShell module.

I hope this TIP will resolve the issue, if you are developing a solution and are in similar situation.

I have tested the approach in parent child domain but I am sure this will work in other Active directory forest Scenarios.


Thanks for reading

Sukhija Vikas

No comments:

Post a Comment