Search code examples
powershellactive-directory-group

Powershell Adding users within groups to cross forest groups

This script works without error now, but the problem is that when several groups in the searchbase are found, the script will add all users from all groups to the cross forest target groups.

So for example:

ForestAGroup1 = contains 2 users

ForestAGroup2 = contains 2 users

::runs script::

now...

ForestBGroup1 = contains 4 users

ForestBGroup2 = contains 4 users

The ForestBGroup1/2 needs to contain the same identical users as ForestAGroup1/2.

Here is the script for reference:

    $creds = Get-Credential
$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "OU=TEST,OU=Shop Print Groups,OU=User,OU=domain Groups,DC=domainA,DC=com" | export-csv c:\temp\test.csv
$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "OU=TEST,OU=Shop Print Groups,OU=User,OU=domain Groups,DC=domainA,DC=com"
Foreach($G In $Groups)
{
    #Display group members and group name
    Write-Host $G.Name
    Write-Host "-------------"
    $G.Members

    #Add members to domainB group
    $domainGMembers = import-csv C:\temp\test.csv | ForEach-Object -Process {Get-ADGroupMember -Identity $_.CN} | Select-Object samaccountname | export-csv c:\temp\gmembers.csv

    $domainDNUser = import-csv C:\temp\gmembers.csv | ForEach-Object -Process {Get-ADUser $_.samaccountname -Server "domainA.com" -properties:Distinguishedname}

    import-csv C:\temp\gmembers.csv | ForEach-Object -Process {Add-ADGroupMember -Server "domainB.com" -Identity $G.Name -Members $domainDNUser -Credential $creds -Verbose}

}
Solution

  • What are you doing?

    • You export to csv, but still try to save it to a variable
    • You search twice
    • You add all members from ALL groups in TEST-OU to every group in domainB
    • You waste time on saving and reading data that you already have in memory
    • You search for the user-object to get SamAccountName when you already have something ten times better, the DN. Then you use that SamAccountName to find the DN.

    Try this (untested):

    $creds = Get-Credential
$Groups = Get-ADGroup -Properties Members -Filter * -SearchBase "OU=TEST,OU=Shop Print Groups,OU=User,OU=domain Groups,DC=domain,DC=com"
Foreach($G In $Groups)
{
    #Display group members and group name
    Write-Host $G.Name
    Write-Host "-------------"
    $G.Members

    #Add members to domainB group
    $G.Members |
    Get-ADUser -Server fairfieldmfg.com |
    ForEach-Object { Add-ADGroupMember -Server "domainB.com" -Identity $G.Name -Members $_ -Credential $creds -Verbose }
}

    I used a foreach-loop to run the Add-ADGroupMember because it usually fails in the middle of a group of members if it finds on the already is a member, but if we add them one at a time you get around that (or you could do a search and exclude those already in the group).

    You may want to add -ErrorAction SilentlyContinue to Add-ADGroupMember to ignore those errors when you know the script works as it should.