Adding users and groups in one Active Directory forest from another

Without going into too much details on the why and how, I found myself recently in a situation where I had to add some admin groups from an administration forest into a production forest.  We could do this manually but this customer is in a situation where they will be creating more forests, so everything that would help them automate things is better.

Making this happen had me do things in PowerShell that really exemplifies what one can do in an object-oriented scripting language.

Adding groups from a different forest in a local group, with PowerShell {#adding-groups-from-a-different-forest-in-a-local-group-with-powershell}

First of all, you can’t just refer to the distinguished name of the group and authenticate. That is a weird thing to wrap your head around. So, what you have to do is make a variable that refers to the distinguished name of the group through the domain controller of the management forest. Example:

$splat = @{
    identity = "CN=SG-MGMT-ADUserAdmin,OU=Security Groups,DC=mgmt,DC=forest,DC=local"
    server = "dc1.mgmt.forest.local"

$globalUserAdmin = Get-AdGroup @splat

Now, this variable can be used to add the universal group to a local group.

$cred = (Get-Credential)
Add-AdGroupMember "SG-production-ADUserAdmin" -Members $globalUserAdmin -Credential $Cred

Like I previously mentioned, you can’t just refer to the distinguished name of a group in a different forest without giving context to the other forest. What we do here is to have a variable that refers to an object through a domain controller in one forest and then use that variable in a cmdlet that refers to the local Active Directory.

This one of the better examples on how to work with PowerShell objects, just the fact that one can get a object completely out of context of the scenario you need it in. One can learn a lot about PowerShell, just by this one example.

Show Comments