six demon bag
Wind, fire, all that kind of thing!
2015-01-18
Adding Group Members Across Domains
Normally when you add a member to an Active Directory group you'll simply use the Add-GroupMember
cmdlet from the ActiveDirectory
module. Except when you have to do it across domains/forests where the source domain is still running Windows Server 2008 (not R2). As in "no AD PowerShell cmdlets" and "no Active Directory Web Service (ADWS)". *sigh*
You can get around this limitation by adding a foreign security principal for an account or group in domain DOM1 (the one without ADWS) to the DirectoryEntry
of a group in domain DOM2:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
Posted 18:25 [permalink]