locked
Add servers to cross domain group RRS feed

  • Question

  • Hi Everyone

    I am currently creating a script that will add servers from domainB (Child domain) to servers in domainA (Parent domain).

    I am having a very hard time getting this to work, it would be much appreciated. Thanks in advance. I am not very skilled at Powershell yet, so i bet the root cause is a very basic mistake that i make.

    To clearify:

    DomainA = mydomain.x

    DomainB = child.mydomain.x

    I run my script from a domain controller in DomainA, and i am domain admin/ enterprise admin in all domains. Here is my script in its current form:

    # Import RSAT tools
    Import-module ActiveDirectory
    
    
    #---------------------------------------------------------- 
    # Functions
    #----------------------------------------------------------
    
    
    function AddToGroup {
    
    # Variables
    $Group = "myGroup"
    $ParentDomain = "domainA.x"
    $ChildDomain = "child.domainA.x"
    
    # Get group from parent domain
    $DomainGroup = Get-ADGroup -Identity $Group -Server $ParentDomain
    
    # Get computers from child domain
    $CrossDomainServers = Get-ADComputer -Server $ChildDomain -SearchBase 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk' -Filter {OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*'} -Property * | Select-Object Name
    
    
    # Print found servers
    Write-Output $CrossDomainServers
    
    # Loop all servers and add to group
    ForEach ($line in $CrossDomainServers)
       {
       $serverName = $line.("Name")
    
       ADD-ADGroupMember $DomainGroup –members $serverName
       } 
    
    }
    
    # Run function
    AddToGroup

    I get the following error:                                                                                                                                   
    --------------------------------------------------------                                                                                                                           
    ADD-ADGroupMember : Cannot find an object with identity: 'Servername' under: 'DC=parentdomain,DC=dk'.
    At C:\temp\KHD\Bankdata_Group_membership.ps1:39 char:4
    +    ADD-ADGroupMember $DomainGroup –members $serverName
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (SF110SV9013800:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
        + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

    --------------------------------------------------------

    For some reason the server name is resolved in the parent domain, not in the child domain. Even though i pull references with Get-ADGroup and Get-ADComputer, to make sure that powershell saves the correct refferences.

    Anyone got an idea of what i do wrong?

    Thanks in Advance. 

    Tuesday, January 8, 2019 9:49 AM

Answers

  • A cleaner way to write this is:

    $props = @{
        Server     = $ChildDomain
        SearchBase = 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk'
        Filter     = { OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*' }
    }
    Get-ADComputer @props |
        ForEach-Object{
            ADD-ADGroupMember $DomainGroup –members $_
        }
    
    


    \_(ツ)_/

    Tuesday, January 8, 2019 2:06 PM

All replies

  • Hello,

    What you are trying with your script is add servers to a Security Group.

    Your code is fine if you do it with user accounts, for computer accounts you must add a dollar after computer name:

    $serverName = $line.("Name") + "$"



    • Edited by Jebisata Tuesday, January 8, 2019 10:34 AM
    Tuesday, January 8, 2019 10:33 AM
  • Hi Jebisata

    I will try to add that right away. I assume its due to SAM account name.

    I will test and return. Thanks so far.

    Tuesday, January 8, 2019 12:36 PM
  • Hi Jebisata

    Sadly i still get this error:

    --------------------------------------------------------                                                                                                                           
    ADD-ADGroupMember : Cannot find an object with identity: 'Servername' under: 'DC=parentdomain,DC=dk'.
    At C:\temp\KHD\Bankdata_Group_membership.ps1:39 char:4
    +    ADD-ADGroupMember $DomainGroup –members $serverName
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (SF110SV9013800:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
        + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

    --------------------------------------------------------

    I have tried to add:

    $serverName = $line.("Name") + "$"


    and also changed Get-ADComputer to output the SAMAccountName and get that:

    $serverName = $line.("SamAccountName")

    Sadly it gives me the exact same error.

    Tuesday, January 8, 2019 12:43 PM
  • Let's change a bit of code and try:

    # Get computers from child domain
    $CrossDomainServers = Get-ADComputer -Server $ChildDomain -SearchBase 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk' -Filter {OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*'} -Property * | Select-Object -ExpandProperty Name
    
    
    # Print found servers
    Write-Output $CrossDomainServers
    
    # Loop all servers and add to group
    ForEach ($line in $CrossDomainServers)
       {
       $serverName = $line + "$"
    
       ADD-ADGroupMember $DomainGroup –members $serverName
       } 
    
    }
    

    Tuesday, January 8, 2019 1:15 PM
  • if you want to use SamAccountName, change you select-object to get it and delete the  (+ "$").

    SamAccountName format, includes dollar symbol.

    Tuesday, January 8, 2019 1:25 PM
  • Just add the computer object to the group;

    Get-ADComputer -Server $ChildDomain -SearchBase 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk' -Filter { OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*' } |
        ForEach-Object{
            ADD-ADGroupMember $DomainGroup –members $_
        }


    \_(ツ)_/



    • Edited by jrv Tuesday, January 8, 2019 1:55 PM
    Tuesday, January 8, 2019 1:54 PM
  • A cleaner way to write this is:

    $props = @{
        Server     = $ChildDomain
        SearchBase = 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk'
        Filter     = { OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*' }
    }
    Get-ADComputer @props |
        ForEach-Object{
            ADD-ADGroupMember $DomainGroup –members $_
        }
    
    


    \_(ツ)_/

    Tuesday, January 8, 2019 2:06 PM
  • The help for Add-ADGroupMember states that you cannot pass objects through the pipeline to the -Members parameter.

    The parameter will accept object references, but technically not the Name attribute. Only sAMAccountName, distinguishedName, SID, and GUID (besides object references). Name does not uniquely identify objects, unless it matches the sAMAccountName.

    Edit: Also, the -Members parameter will accept either a comma delimited list or an array. I have used arrays.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, January 8, 2019 2:44 PM
  • The help for Add-ADGroupMember states that you cannot pass objects through the pipeline to the -Members parameter.

    The parameter will accept object references, but technically not the Name attribute. Only sAMAccountName, distinguishedName, SID, and GUID (besides object references). Name does not uniquely identify objects, unless it matches the sAMAccountName.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Where are objects being passed through a pipeline?


    \_(ツ)_/

    Tuesday, January 8, 2019 2:50 PM
  • I thought $_ meant the object came through the pipeline. I could be wrong. I was going to suggest:

    $props = @{
        Server     = $ChildDomain
        SearchBase = 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk'
        Filter     = { OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*' }
    }
    
    $Computers = @(Get-ADComputer @props | Select sAMAccountName)
    ADD-ADGroupMember $DomainGroup –members $Computers
    

    Although I can't test right now.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 8, 2019 3:08 PM
  • I thought $_ meant the object came through the pipeline. I could be wrong. I was going to suggest:

    $props = @{
        Server     = $ChildDomain
        SearchBase = 'OU=w2k12r2,OU=servers,DC=child,DC=domainB,DC=dk'
        Filter     = { OperatingSystem -Like '*Windows Server*' -and Name -NotLike '*HC*' -and Name -Notlike '*VN*' }
    }
    
    $Computers = @(Get-ADComputer @props | Select sAMAccountName)
    ADD-ADGroupMember $DomainGroup –members $Computers

    Although I can't test right now.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Yes. It is the pipeline variable that is passed but not supporting a pipeline means:

    Get-AdComputer | Add-AdGroupMember groupid

    That won't work.  That is why we need to use "ForEach-Object" to enumerate the objects in the pipeline.

    C'mon Richard.  I know you know this.  Finish your morning coffee and look at it again.  Better yet, try my code.  I ran it just in case I wasn't awake and missing something and it works exactly as expected.


    \_(ツ)_/

    Tuesday, January 8, 2019 3:24 PM
  • Ah, using the ForEach does work. Yes, I need more coffee.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 8, 2019 3:33 PM
  • Yup.  That happens to me before the second cup.


    \_(ツ)_/

    Tuesday, January 8, 2019 3:35 PM
  • Hi jrv

    Your code works just fint, thanks a lot for the help.

    Also to you Richard, thanks for the help. You guys saved me a lot of trouble.

    Consider this problem solved :)

    Wednesday, January 9, 2019 10:09 AM