PowerShell Set-ADGroup replace member multiple domains (FSP)

I am trying to set the membership of a group using Set-ADGroup with the -Replace parameter. I tried with

$adUsers = @()
$adUsers += Get-ADUser -Server domain1.corp.com -Identity user1
$adUsers += Get-ADUser -Server domain2.corp.com -Identity user2

$adUsers = $adUsers | select-object -expandproperty distinguishedname

Set-ADGroup -Server domain3.corp.com -Identity mygroup -Replace @{Member=$adUsers}

but that fails with

The specified account does not exist.

If you looked at my previous attempt you might have noted that my user objects come from two different doamins while my group comes from a third one.

So to test my code, I simplified my setup and tried with users coming from the same domain as the one where the group was located in

$adUsers = @()
$adUsers += Get-ADUser -Server domain3.corp.com -Identity user4
$adUsers += Get-ADUser -Server domain3.corp.com -Identity user5

$adUsers = $adUsers | select-object -expandproperty distinguishedname

Set-ADGroup -Server domain1.corp.com -Identity mygroup -Replace @{Member=$adUsers}

This works.

So I figured the AD module might not be liking FSPs.

But then I ran the following code:

$adUsers = @()
$adUsers += Get-ADUser -Server domain1.corp.com -Identity user1
$adUsers += Get-ADUser -Server domain2.corp.com -Identity user2

Add-ADGroupMember -Server domain3.corp.com -Identity mygroup -Members $adUsers

And this works. So it seems working with FSPs is certainly possible in the AD module.

But why is it not working for Set-ADGroup?

Should I be using something different from the distinguished name? I tried with the string representation of the SID, but that seems to be even worse (An internal error occured).

I am aware that I could use a combination of Remove-ADGroupMember and Add-ADGroupMember to make my code work but that seems inefficient as I would have to figure out first which users to remove. Replacing the member list with the correct entries seems more performant.

Read more here: https://stackoverflow.com/questions/68475795/powershell-set-adgroup-replace-member-multiple-domains-fsp

Content Attribution

This content was originally published by ydh at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: