Cross-Domain Group Membership Addition / Copy

If you need to add members from a security group in a different domain, this script will enable you to quickly do so.

Define the groups and domains. Edit the Function as well. This script was required due to a known bug with the Get-ADGroupMember cmdlet which causes you to get the error “A Referral was returned from the server” when trying to add members to groups with different domain identifiers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$DomainOrigin="child.domain.com"
$DomainTarget="domain.com"
$Group1= Get-ADGroup 'DC=child,DC=domain,DC=com' -Server $DomainOrigin
$Group2= Get-ADGroup 'DC=domain,DC=com' -Server $DomainTarget

Function Get-ADGroupMemberFix {
    [CmdletBinding()]
    param(
    [Parameter(
        Mandatory = $true,
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true,
        Position = 0
        )]
        [string[]]
        $identity
        )
        Process {
            ForEach ($groupIdenity in $identity){

                $group = $null
                $group = Get-ADGroup -server child.domain.com -Identity $groupIdenity -Properties Member
                If (-not $group){
                    continue
                }
                ForEach ($member in $group.Member){
                    If ($member -like "*OU=AD Management,DC=domain,DC=com"){
                        Get-ADObject $member -Server domain.com
                    }elseIf ($member -like "*DC=child,DC=domain,DC=com"){
                        Get-ADObject $member -Server child.domain.com
                    }elseif ($member -like "*DC=child2,DC=domain,DC=com"){
                        Get-ADObject $member -Server child2.domain.com
                    }
                }
            }
        }
}

$srcMembers = Get-ADGroupMemberFix $Group1
#$destMembers = Get-ADGroupMember $Group2

ForEach ($member in $srcMembers){    
    $member.Name    
    Set-ADObject -Server $DomainTarget -Identity $Group2 -Add @{member=$member.DistinguishedName} -Confirm
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.