Powershell – Adding Users to DomainLocal Groups when using Trusted Domains – Part 1

Powershell

In Powershell, Add users to Groups is a piece of cake whether you use Quest Commandlets or the new Active Directory Modules.

 

If your group name is “ACCOUNTING” and you’re adding in “GEDDY.LEE” the command would be (under Quest)

 

ADD-QADGROUPMEMBER ACCOUNTING GEDDY.LEE

 

Now this is all fine and dandy (except for Mr. Lee who probably should have been in the Group “RUSH” instead, but I was feeling silly) but if you try to add a user from a Trusted domain into the group, it’s a different story!

Let’s say we have two domains.    One is called ROCK and the other is called ROLL and you have a DomainLocal Security Group called “BassPlayers” you normally can add Users from a Domain called ROLL into the DomainLocal Group in ROCK under Active Directory users and Computers.  That part we all know. 

But under Powershell it was a bit confusing. At least at first!  Simply because I busy “Assuming” things.

 

So doing THIS to add NEIL.YOUNG from the ROLL domain

 

ADD-QADGROUPMEMBER BassPlayers ROLLNeil.Young

 

Produces a complete fail with an error like this.

Add-QADGroupMember : Cannot resolve directory object for the given identity: ‘ROLLneil.young’.
At line:1 char:19
+ add-qadgroupmember <<<<  BassPlayers HOneil.young
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Cmdlets.AddGroupMemberCmdlet2

 

So a Face Palm ! *KLUNK*

How to figure this out?  Actually very easy 🙂

Do it the “Hard way” to get some examples.   So I added a user in the Domain ROCK and the Domain ROLL into the BassPlayers DomainLocal group in my environment.  Then run a GET-QADUSER on the group to get some details.

 

GET-QADGROUPMEMBER BassPlayers

 

Name                           Type                 DN
—-                               —-                    —

Geddy.Lee                   user                  CN=weenie,CN=Users,DC=techdays,DC=contoso,DC=com
ROLLNeilYoung           foreignSecur… CN=S-1-5-21-2481523833-734975305-574286769-1118,CN=ForeignSecurityPri…

So we can see that members of the Foreign Domain are stamped different in the Domain Local Group.  Well DUH!  Of course they are!  It’s Different Domain!  There has to be SOME easy way of saying “Hey whoa!  This user’s not from our LOCAL security area!”

So KNOWING this in Advance means if we want to add users from a Foreign (BUT TRUSTED) domain to a DomainLocal Group we need to have a little bit of extra information FIRST.

Obviously, we need to know the TYPE of user.  A SELECT-OBJECT on the TYPE will show us more details and of course in greater depth

Name : ROLLNeil.Young
Type  : foreignSecurityPrincipal
DN     : CN=S-1-5-21-2481523833-734975305-574286769-1118,CN=ForeignSecurityPrincipals,DC=ROCK,DC=com

 

But the DN.  Aye there’s the RUB.  The DN is UNIQUE to each user because of the SID.   So how do we pull THAT out?

Connect to the foreign domain and ASK!  Because you have a Trust (this article is about Domains with a Trust remember 😉 )

 

GET-QADUSER Username –Service NameOrIPofForeigndomainController | select-object SID

Like

GET-QADUSER Neil.Young –Service ‘10.0.0.90’ | SELECT-OBJECT –SID

 

Will yield his SID which happens to be

 

CN=S-1-5-21-2481523833-734975305-574286769-1118

 

So (Gasp, pant, ack ack!) HOW DO WE USE THIS?!?!?!

 

Let’s think.   We have the name.  We can ask somebody information about the name and get the SID.  We know the details about the other domain. 

Let’s let POWERSHELL do ALL the Work… cuz we’re LAZ…… I mean EFFICIENT!

 

$DETAILS=GET-QADUSER Neil.Young –service ‘10.0.0.90’; 

 

But here’s the really tricky bit!  We have to put all those pieces together!  And THAT will be another story for AFTER the weekend 🙂

 

Sean
The Energized Tech

Leave a Reply