In Powershell, Add users to Groups is a piece of cake whether you use Quest Commandlets or the new Active Directory Modules.
If your group name is “ACCOUNTING” and you’re adding in “GEDDY.LEE” the command would be (under Quest)
ADD-QADGROUPMEMBER ACCOUNTING GEDDY.LEE
Now this is all fine and dandy (except for Mr. Lee who probably should have been in the Group “RUSH” instead, but I was feeling silly) but if you try to add a user from a Trusted domain into the group, it’s a different story!
Let’s say we have two domains. One is called ROCK and the other is called ROLL and you have a DomainLocal Security Group called “BassPlayers” you normally can add Users from a Domain called ROLL into the DomainLocal Group in ROCK under Active Directory users and Computers. That part we all know.
But under Powershell it was a bit confusing. At least at first! Simply because I busy “Assuming” things.
So doing THIS to add NEIL.YOUNG from the ROLL domain
ADD-QADGROUPMEMBER BassPlayers ROLL\Neil.Young
Produces a complete fail with an error like this.
Add-QADGroupMember : Cannot resolve directory object for the given identity: ‘ROLL\neil.young’.
At line:1 char:19
+ add-qadgroupmember <<<< BassPlayers HO\neil.young
+ CategoryInfo : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
+ FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
So a Face Palm ! *KLUNK*
How to figure this out? Actually very easy 🙂
Do it the “Hard way” to get some examples. So I added a user in the Domain ROCK and the Domain ROLL into the BassPlayers DomainLocal group in my environment. Then run a GET-QADUSER on the group to get some details.
Name Type DN
—- —- —
Geddy.Lee user CN=weenie,CN=Users,DC=techdays,DC=contoso,DC=com
ROLL\NeilYoung foreignSecur… CN=S-1-5-21-2481523833-734975305-574286769-1118,CN=ForeignSecurityPri…
So we can see that members of the Foreign Domain are stamped different in the Domain Local Group. Well DUH! Of course they are! It’s Different Domain! There has to be SOME easy way of saying “Hey whoa! This user’s not from our LOCAL security area!”
So KNOWING this in Advance means if we want to add users from a Foreign (BUT TRUSTED) domain to a DomainLocal Group we need to have a little bit of extra information FIRST.
Obviously, we need to know the TYPE of user. A SELECT-OBJECT on the TYPE will show us more details and of course in greater depth
Name : ROLL\Neil.Young
Type : foreignSecurityPrincipal
DN : CN=S-1-5-21-2481523833-734975305-574286769-1118,CN=ForeignSecurityPrincipals,DC=ROCK,DC=com
But the DN. Aye there’s the RUB. The DN is UNIQUE to each user because of the SID. So how do we pull THAT out?
Connect to the foreign domain and ASK! Because you have a Trust (this article is about Domains with a Trust remember 😉 )
GET-QADUSER Username –Service NameOrIPofForeigndomainController | select-object SID
GET-QADUSER Neil.Young –Service ‘10.0.0.90’ | SELECT-OBJECT –SID
Will yield his SID which happens to be
So (Gasp, pant, ack ack!) HOW DO WE USE THIS?!?!?!
Let’s think. We have the name. We can ask somebody information about the name and get the SID. We know the details about the other domain.
Let’s let POWERSHELL do ALL the Work… cuz we’re LAZ…… I mean EFFICIENT!
$DETAILS=GET-QADUSER Neil.Young –service ‘10.0.0.90’;
But here’s the really tricky bit! We have to put all those pieces together! And THAT will be another story for AFTER the weekend 🙂
The Energized Tech