Copy AD members between domains

The organization got a parent and child domain. Both the domains contain criss-cross members and groups. Everything works when copying the members from one AD group to another in the same domain. But, an error appears when we want to copy AD members between domains. In this article, you will learn how to copy AD members between parent and child domain.

AD members in different domains

If you have a couple of members, you can search and select them in Active Directory Users and Computers (ADUC). But what if you have many members, let’s say a thousand? Or, what if you want to be precise with copying members?

Reading another group from a list and adding them to another group is not bulletproof. You can miss a member, and that’s not what you want. That’s when you want to use PowerShell.

In our example, we like to copy the users from the AD group:

• Source: SG_IT_A
• Target: SG_IT_B

The AD group members are in different domains:

• exoip.lan
• london.exoip.lan

Copy AD members to another group

Run the Get-AdGroupMember cmdlet to get the members in the source AD group.

PS C:\> Get-ADGroupMember -Identity "SG_IT_A" | Select-Object Name | Sort-Object Name

Name         
----         
Anne Thomson 
Brandon Clark
Jacob Turner 
Nico Hanssen 
SG_HR        

Get the target group and use the ForEach-Object cmdlet to add the members to the source AD group.

PS C:\> Get-ADGroupMember -Identity "SG_IT_A" | ForEach-Object {Add-ADGroupMember -Identity "SG_IT_B" -Members $_.distinguishedName}

After running the above command, the output shows the below error:

Add-ADGroupMember : A referral was returned from the server

Add-ADGroupMember : A referral was returned from the server
At line:1 char:57
+ ... ach-Object {Add-ADGroupMember -Identity "SG_IT_B" -Members $_.disting ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (SG_IT_B:ADGroup) [Add-ADGroupMember], ADReferralException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
 
Add-ADGroupMember : A referral was returned from the server
At line:1 char:57
+ ... ach-Object {Add-ADGroupMember -Identity "SG_IT_B" -Members $_.disting ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (SG_IT_B:ADGroup) [Add-ADGroupMember], ADReferralException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

Why do we get this error, and what is the solution to copy members between parent and child domain?

Copy members between parent and child domain

Run PowerShell ISE as administrator. Copy and run the below script on the parent domain.

$SourceServer = "exoip.lan"
$SourceGroup = Get-ADGroup "SG_IT_A" -Server $SourceServer
$DestinationServer = "exoip.lan"
$DestinationGroup = Get-ADGroup "SG_IT_B" -Server $DestinationServer

$SourceMembers = Get-ADGroupMember -Identity $SourceGroup

foreach ($Member in $SourceMembers) {
Set-ADObject -Identity $DestinationGroup -Add @{member=$Member.distinguishedName} -Server $DestinationServer
}

Verify that the AD members are copied to the group.

Suppose you want to copy the AD members from SG_IT_A in the parent domain to the group SG_IT_B in the child domain. The only adjustment you must make in the PS script is changing the $DestinationServer value.

$SourceServer = "exoip.lan"
$SourceGroup = Get-ADGroup "SG_IT_A" -Server $SourceServer
$DestinationServer = "london.exoip.lan"
$DestinationGroup = Get-ADGroup "SG_IT_B" -Server $DestinationServer

$SourceMembers = Get-ADGroupMember -Identity $SourceGroup

foreach ($Member in $SourceMembers) {
Set-ADObject -Identity $DestinationGroup -Add @{member=$Member.distinguishedName} -Server $DestinationServer
}

We did successfully copy AD members between domains.

Read more: Export AD group members with PowerShell »

Conclusion

You learned how to copy AD members between domains. In this case, it was between a parent and child domain. Use the PowerShell script and adjust the values so you can copy members between domains. PowerShell is excellent when you want to speed up your work and be precise.

Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.