Domain Trust and AD Groups

Posted by robd on April 26, 2023

The company I work for is much like the Borg where they like to assimilate new companies.

Part of this assimilation often involves a domain trust and adding users from one domain to a second domains AD groups to gain access to permissions in Domain 2.

This is really useful if your giving a user a laptop on domain 1 but they need access to files on domain 2.


My Mate Handsom Dave came up with this script too:

Compare users from Domain 1 and Domain 2 on display name (username didnt match),

Get the Domain 2 groups,

Look at domain 2 groups members,

If they exist in domain 1 then add those people into the group in Domain 2.

Remember: The AD groups need to be Domain Local.



#Get the users from domain1
$domain1 = get-aduser -filter * -Server
#get the users from domain2
$domain2 = get-aduser -filter * -Server
#compare the users on name (not username as they didnt match)
$usercompare = Compare-Object -ReferenceObject $ -DifferenceObject $ -IncludeEqual
#If its the same then save to this variable
$inboth = $usercompare | where {$_.sideindicator -eq "=="}
#In Domain 2 get all the AD groups that start with ACL_
$domain1groups = Get-ADGroup -filter {name -like "ACL_*"} -Server

#Here we go
foreach ($group in $domain1groups)
    #get the ad members from the acl group 
    $domain1groupmembers = Get-ADGroupMember $ -Server 
    foreach ($groupmember in $domain1groupmembers) 
        #if the member of the group matches someone in the inboth variable
        if ($inboth.inputobject -contains $ 
        $domain2userobject = Get-ADUser -Filter {name -like $} 
        # add that domain 1 person to the domain 2 ad group
        Add-ADGroupMember -Identity $group -Members $domain2userobject -server -WhatIf




Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.