Modifying cross forest members of Active Directory groups

By | March 11, 2019

Adding users to groups within the same domain using Powershell is quite simple – there is a cmdlet Add-ADGroupMember (and removing them is just as easy !), but how we accomplish when one domain contains groups and has a one way trust with a domain in another forest that contains the users ?

This is a rhetorical question 😉 Assuming we are running from the domain containing the groups, the other domain needs to be mapped to a PSDrive. Once done we can search for the user and use the Add-ADGroupMember cmdlet to add them.

Removing users is nearly as straight forward, though I only had success using Remove-ADPrincipalGroupMembership to remove the remote user.

We will need to know:

  • The name of the remote domain.
  • A credential for the remote domain.
  • The name of the group.
  • The samaccountname of the users to add or remove.

I’ve written a script below, which is able to add and remove users to a group in single call. There is no need to specify the domain controller for the remote user domain as this can be discovered (I’m assuming your DNS is configured correctly and healthy !). However this has not been tested:

  • In a two-way trust.
  • Running in the user domain/forest.

The script doesn’t take into account if the user is already a member of the group – the way to do this is to retrieve the groups “member” property and use the SID to check against the user.

As usual, let me know if this is useful or you have any other corrections/comments. I’ve put this into a simple script located here as the script “Set-ADGroupTrustedForestMembership.ps1”.