none
Bulk Add Global Groups to Local group in a trusted domain RRS feed

  • Question

  • Hi there, we have two domains.

    Sydney and Toronto

    I've copied all groups from Sydney AD into Toronto AD and ensured all the groups were created as Domain Local groups.

    I would like to add the global group from Sydney to each group in Toronto.

    For example.

    Group Name in Sydney: ACCOUNTING (contains 100 users)

    Group Name in Toronto ACCOUNTING (Members of group will be global group of Sydney\ACCOUNTING.

    How can I script this?

    Tuesday, September 22, 2015 6:19 PM

Answers

  • Thanks for pointing me in the right direction. The actual command that ended up working was this:

    On Toronto DC, in Powerhsell for AD:

    $cred=get-credential

    add-adgroupmember -identity "ACCOUNTING” -members (get-adgroup "ACCOUNTING” -server DC.Sydney.com -credential $cred)

    Wednesday, September 23, 2015 7:01 PM

All replies

  • Hi,

    You can use a combination of Get-ADGroupMember and Add-ADGroupMember:

    http://ss64.com/ps/get-adgroupmember.html

    http://ss64.com/ps/add-adgroupmember.html

    Basic example:


    Add-ADGroupMember -Identity 'Toronto Group' -Members (Get-ADGroupMember -Identity 'Sydney Group')


    EDIT: Both of these cmdlets have a -Server parameter you can use to target specific DCs if you need to.

    Tuesday, September 22, 2015 6:24 PM
  • Get group members using distinguished name of remote group then add them to the  group in thelocal domain.

    What is the issue.  Are you getting errors?


    \_(ツ)_/

    Tuesday, September 22, 2015 6:29 PM
  • No issue just yet, but, wanted an idea as to how to go about this.

    When I add the domain global group to the local group, I'm asked to put in my password from the Sydney domain. Will this be a problem if I script this using Add-ADGroupMember ?

    Tuesday, September 22, 2015 6:49 PM
  • No issue just yet, but, wanted an idea as to how to go about this.

    When I add the domain global group to the local group, I'm asked to put in my password from the Sydney domain. Will this be a problem if I script this using Add-ADGroupMember ?

    Use the -Credential parameter.


    Tuesday, September 22, 2015 6:53 PM
  • On the target DC (in another doman) I tried this:

    Add-ADGroupMember ACCOUNTING -members "CN=ACCOUNTING,OU=Groups,DC=Sydney,DC=com" -server sydneyDC.sydney.com -credential Sydney\user1

    What this did, was connect to the sydneyDC and add the group Accounting as a member.

    But, I wanted this to be the other way around. Add a member which is CN=ACCOUNTING,OU=Groups,DC=Sydney,DC=com into ACCOUNTING into Toronto domain.

    So, will look like this in Toronto AD

    Group Name: ACCOUNTING (just like it was in Sydney)

    Members: Sydney\Accounting (using the old group as a member in the new ACCOUNTING group.

    Tuesday, September 22, 2015 7:20 PM
  • I even tried this (committing the -server)

    Add-ADGroupMember ACCOUNTING -members "Sydney\ACCOUNTING" -credential sydney\user1

    But, I get an error that states it cannot find an object "Sydney\ACCOUNTING".

    Seems like you can't add global groups from another domain to local groups using Add-ADGroupMember...

    However, doing this in AD snap in works just fine.

    Tuesday, September 22, 2015 7:24 PM
  • Look at my example again.

    Tuesday, September 22, 2015 7:31 PM
  • I did...

    Add-ADGroupMember -Identity 'Toronto Group' -Members (Get-ADGroupMember -Identity 'Sydney Group')

    Produces this error:

     Cannot validate argument on parameter 'Members'

    Also doesn't work with -Server. 
    I don't want to get the ad-group members from Toronto, I'm only adding the actual Toronto group to the Sydney group as previously specified.

    Perhaps I need to rephrase my question.

    How can I go about adding global groups from domain1 to a local group of domain2 using group name: ACCOUNTING. That group name is the same in both domains...

    I'll take another look at the two links you provided to see if I can get a hint. Thanks for taking your time with this one.

     

    Tuesday, September 22, 2015 8:10 PM
  • Ah, that is in fact different from what I've posted above.


    Add-ADGroupMember -Identity 'Test Group 1' -Members (Get-ADGroup 'Test Group 2')


    Tuesday, September 22, 2015 8:18 PM
  • Thanks for pointing me in the right direction. The actual command that ended up working was this:

    On Toronto DC, in Powerhsell for AD:

    $cred=get-credential

    add-adgroupmember -identity "ACCOUNTING” -members (get-adgroup "ACCOUNTING” -server DC.Sydney.com -credential $cred)

    Wednesday, September 23, 2015 7:01 PM
  • Cheers, you're welcome. Glad it worked out.

    Wednesday, September 23, 2015 7:25 PM