none
How to add user from domain A to a group in domain B RRS feed

  • Question

  • How would you acheive adding a user from domain A to a group that is in domain B via powershell without the Quest cmdlets? I've been trying to figure this out for about a week now. Please let me know if the scripting guy has seen this issue before.

    LittleTech

    Friday, May 9, 2014 5:54 PM

Answers

  • Try it this way.  Do not bother with the PSDrive.

    # get the user object from the remote doamin
    $User=Get-ADUser -Filter {sAMAccountName -eq $UserID} -server <AD server in foreign domain>
    
    Add the user object to the group.  AD should be able to resolve this.  
    $groupDN='CN=Wireless Device Users,OU=Wireless,OU=Systems and Technology,DC=External,DC=Domain2,DC=Com'
    Add-ADGroupMember -Identity $GroupDN -Members $user
    
    
    
    


    ¯\_(ツ)_/¯

    Friday, May 9, 2014 7:22 PM

All replies

  • Have you tried with AD CmdLets?

    Just get the user object from the remote domain and add it.  There must be trusts and you must have permissions in both domains.


    ¯\_(ツ)_/¯

    Friday, May 9, 2014 6:35 PM
  • Here is a discussion on the various issues of adding users from a remote domain:

    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/6281c4f2-0108-4928-bcf7-4f2a64099525/script-to-add-users-of-a-trusted-domain


    ¯\_(ツ)_/¯

    Friday, May 9, 2014 6:39 PM
  • Hello jrv,

    Here's what i was trying to do. The two domains im working with have a trust between them.

    1. Create a user in External.Domain.Com
    2. Add the user in External.Domain.Com to GroupOne in ExternalDomain2.Domain.com
    3. The only knowledge that ExternalDomain2.Domain.Com would have about the account in External.Domain.Com is whatever is in the Global Catalog. Here is what im trying, but it isn't working.

    #Connecting to domain PSDrive
    New-PSDrive -Name ExternalDomain -PSProvider ActiveDirectory -Root "" -Server DC01.Domain.com
    cd ExternalDomain:

    #Create user
    #Add to ExternalDomain Groups

    $UserDN=Get-ADUser-LDAPFilter"(sAMAccountName=$UserID)"

    #Connecting to domain2 PSDrive 
    cd AD:

    $GroupDN="CN=Wireless Device Users,OU=Wireless,OU=Systems and Technology,DC=External,DC=Domain2,DC=Com"
    Add-ADGroupMember-Identity$GroupDN-Members(Get-ADObject-Identity$UserDN.DistinguishedName -Server"DC01.Domain.com:3268")

    Connecting via port 3268 allows me to talk to the global catalog instead of LDAP.

    I receive the following message: A Referral was returned from the server
    I know that if i connect using [ADSI] i am able to specify that the connection follows referrals, the AD cmdlets seem to not have that function. The Quest AD cmdlets do... I just dont want to have to use third party cmdlets to do what the AD cmdlets should be able to do in the first place.

    THanks,


    LittleTech

    Friday, May 9, 2014 7:04 PM
  • Please try to not post colorizd code.  It does not display correctly.  Use the code object on the toolbar to paste code.  It will strip out your HTML.

    Example:

    #Connecting to domain PSDrive 
    New-PSDrive -Name ExternalDomain -PSProvider ActiveDirectory -Root "" -Server DC01.Domain.com
    cd ExternalDomain: 
    
     #Create user
     #Add to ExternalDomain Groups
    
    
    $UserDN=Get-ADUser -LDAPFilter "(sAMAccountName=$UserID)" 
     
    #Connecting to domain2 PSDrive 
    cd AD: 
     
    $GroupDN="CN=Wireless Device Users,OU=Wireless,OU=Systems and Technology,DC=External,DC=Domain2,DC=Com"
    Add-ADGroupMember -Identity $GroupDN-Members(Get-ADObject-Identity$UserDN.DistinguishedName -Server"DC01.Domain.com:3268") 
    
    


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, May 9, 2014 7:23 PM
    Friday, May 9, 2014 7:17 PM
  • Try it this way.  Do not bother with the PSDrive.

    # get the user object from the remote doamin
    $User=Get-ADUser -Filter {sAMAccountName -eq $UserID} -server <AD server in foreign domain>
    
    Add the user object to the group.  AD should be able to resolve this.  
    $groupDN='CN=Wireless Device Users,OU=Wireless,OU=Systems and Technology,DC=External,DC=Domain2,DC=Com'
    Add-ADGroupMember -Identity $GroupDN -Members $user
    
    
    
    


    ¯\_(ツ)_/¯

    Friday, May 9, 2014 7:22 PM
  • Hey Jrv,

    You're a genious!

    My inner geek wants to know how AD actually figured out how to resolve that. But that's a different question that i beleive would have to be posted somewhere else.

    Thank you very much for your help.

    LittleTech

    Friday, May 9, 2014 7:44 PM
  • Hey Jrv,

    You're a genious!

    My inner geek wants to know how AD actually figured out how to resolve that. But that's a different question that i beleive would have to be posted somewhere else.

    Thank you very much for your help.

    LittleTech

    The key with PowerShell is to always allow and use objects when possible.  Objects understand themselves.  AD objects are smart.  AD CmdLets are smart.

    By using the "server" object we can pick the server that handles our query and the samaccount will be key for that domain.  The returned object has everything that AD needs to resolve the user and add it.  ADSI will always take an AD object reference in these situations.

    If a solution that is required appears to be too complex then you are probably doing it wrong or are missing key information about the object/task.  This means that you should research the issue to find ytour missing knowledge.  Simple learning by walking around - Didn't David Packard say that?


    ¯\_(ツ)_/¯

    Friday, May 9, 2014 8:38 PM