EmployeeID to Universal Security Group-multiple domains

Am trying to get a universal security group populated from a list of employeeIDs from a csv that contains both Parent and Child domain employeeIDs. It will populate the universal group if I do not specify a -server for the Get-ADUser (although it will only populate the parent domain members), so as you can see I tried using the Global Catalog server to catch both the Parent and Child domain members but I don’t think this works because I don’t think employeeID is an attribute in GC.
How can I get this code to populate the security group with both parent and child domain user accounts coming from a list of employeeID attributes? Any assistance would be greatly appreciated:

$gc=[system.directoryservices.activedirectory.forest]::GetCurrentForest().Name+':3268'
$users = ForEach($id in ( Get-Content -Path '\\server\folder\employeeIDs.csv')) {
    $user = Get-ADUser -Server $gc -Filter {employeeID -eq $id} 
        If(-not $user) {
        $id | Out-File -FilePath c:\notfound.log
    }
    $user
}

Add-ADGroupMember -Identity Ent-Supervisors -Members ($users | Select-Object -ExpandProperty SamAccountName)

Powershell error received is:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\Users\st.powershell\Documents\Scripts\ent-supervisors.ps1:17 char:54
+ ... sors -Members ($users | Select-Object -ExpandProperty SamAccountName)
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember

It says that the variable $users is empty. Did you check if its empty or not ? It will be better to print some info. And you should be appending to the file when in iteration else everytime, it will get overwritten.

"" | Out-File -FilePath c:\notfound.log
$gc=[system.directoryservices.activedirectory.forest]::GetCurrentForest().Name+':3268'
$users = ForEach($id in ( Get-Content -Path '\\server\folder\employeeIDs.csv')) {
    Write-Host "Getting User with Id=$Id from $gc"
    $user = Get-ADUser -Server $gc -Filter {employeeID -eq $id} 
        If(-not $user) {
        $id | Out-File -FilePath c:\notfound.log -Append
    }
  else{
     Write-Host "Found user=$User"
     $user
   } 
}

Add-ADGroupMember -Identity Ent-Supervisors -Members ($users | Select-Object -ExpandProperty SamAccountName)

It is empty, that is the problem. If I remove line 2:
“$gc=[system.directoryservices.activedirectory.forest]::GetCurrentForest().Name+’:3268’”

and also remove “-Server $gc” from line 5 it will populate with the parent domain user accounts into $users fine, just not the child domain users.

Whats in $gc getting printed ?

You can better try executing the command in console for a single user targeting the child domain and see the output.

Thanks for the reply. $GC is returning “parentdomain:3268”. I made the csv only contain child domain user accounts for testing purposes, as at this point I would just be happy to get child domain members added to the parent domain universal security group. With this code, using a child domain controller for the Get-ADUser, it finds all the child domain user accounts fine:

"" | Out-File -FilePath c:\notfound.log
 $users = ForEach($id in ( Get-Content -Path 'Get-Content -Path '\\server\folder\employeeIDs.csv')) {
      $user = Get-ADUser -Server "childdomain" -Filter {employeeID -eq $id}
        If(-not $user) {
        $id | Out-File -FilePath c:\notfound.log -Append
    }
  else{
     Write-Host "Found user=$User"
     $user
   } 
}

Add-ADGroupmember -Identity Ent-Supervisors -Members ($users | Select-Object -ExpandProperty SamAccountName)

But then I get:

Add-ADGroupmember : Cannot find an object with identity: 'ChildDomain samaccountname' under: 'parentdomain'.
At C:\Users\st.powershell\Documents\Scripts\ent-supervisors-testing.ps1:21 char:1
+ Add-ADGroupmember -Identity Ent-Supervisors - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ChildDomain samaccountname:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.

If I put in -Server “childdomain” in the Add-ADGroupmember line, I then get:

Add-ADGroupmember : Cannot find an object with identity: 'Ent-Supervisors' under:
'childdomain'.
At C:\Users\st.powershell\Documents\Scripts\ent-supervisors-testing.ps1:21 char:1
+ Add-ADGroupmember -Identity Ent-Supervisors -Server "childdomain. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Ent-Supervisors:ADGroup) [Add-ADGroupMember], ADIdentityNotFoundExcepti
   on
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
   icrosoft.ActiveDirectory.Management.Commands.AddADGroupMember

I have verified that the user account I am using is able to manually add/remove child domain user accounts from the parent domain security group, so it is definitely something with the script I don’t have right. Thanks.

you might save yourself some headaches if you just add each user as you find them in your foreach loop.
as well, i find it much easier to use try/catch for error handling rather than just if check on $user contents, that can cause issues elsewhere.

You still need to solve for getting the user objects from the child domains. The lazy way i’d take for expediency, is just putting all of the domains you need to check for users against, and run the same script/input file against each domain.

ForEach ($id in ( Get-Content -Path Get-Content -Path '\\server\folder\employeeIDs.csv'))

{

    try

    {

        $user = Get-ADUser -Server "childdomain" -Filter {employeeID -eq $id}

        try

        {

        Add-ADGroupmember -Identity Ent-Supervisors -Members $user

        }

        catch

        {

            $id | Out-File -FilePath c:\notadded.log -Append

        }

    }

    catch
    {

        $id | Out-File -FilePath c:\notfound.log -Append

    }
}

Try this.

$Group = Get-ADGroup Ent-Supervisors
Foreach($User in $users){
    Set-ADObject $Group -Add @{member=$User.DistinguishedName}
}
1 Like

That worked! , it was able to add the child domain members with the loop. Thanks a bunch kvprasoon and david, it may not seem that way but I actually learned quite a bit from your input on this, thanks again.