six demon bag

Wind, fire, all that kind of thing!

2015-01-18

Adding Group Members Across Domains

Normally when you add a member to an Active Directory group you'll simply use the Add-GroupMember cmdlet from the ActiveDirectory module. Except when you have to do it across domains/forests where the source domain is still running Windows Server 2008 (not R2). As in "no AD PowerShell cmdlets" and "no Active Directory Web Service (ADWS)". *sigh*

You can get around this limitation by adding a foreign security principal for an account or group in domain DOM1 (the one without ADWS) to the DirectoryEntry of a group in domain DOM2:

$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value

$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")

[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()

Posted 18:25 [permalink]