Copy group members from one group to another in a different domain.
Hi EE
Does anyone have a script to share that will copy the samaccountname from one group and add them to another group in a different domain ?
So basically I need Domain1\Group1 have the same members copied to Domain2\Group1
I have this need for multiple groups .
Does anyone have a script to share that will copy the samaccountname from one group and add them to another group in a different domain ?
So basically I need Domain1\Group1 have the same members copied to Domain2\Group1
I have this need for multiple groups .
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To avoid misunderstandings:
* You have domain1 and domain2, and a trust where domain2 trusts domain1.
* You want domain2\group1 to have the same members as domain1\group1, with the members for the domain2 group coming from domain2, not from the trusted users from domain1?
* You have domain1 and domain2, and a trust where domain2 trusts domain1.
* You want domain2\group1 to have the same members as domain1\group1, with the members for the domain2 group coming from domain2, not from the trusted users from domain1?
ASKER
Hi ..
* You have domain1 and domain2, and a trust where domain2 trusts domain1. : Correct .
See below.
* You want domain2\group1 to have the same members as domain1\group1, with the members for the domain2 group coming from domain1
* You have domain1 and domain2, and a trust where domain2 trusts domain1. : Correct .
See below.
* You want domain2\group1 to have the same members as domain1\group1, with the members for the domain2 group coming from domain1
Then the above script won't help, sorry. I understood your question as you having two separate domains, with accounts and groups with the same name.
Can you provide a bit more background about what it is you want to achieve with this? Are you familiar with AGDLP?
For that to work, the group in domain2 must be a DL group.
Since you have users in your group in domain1, it should be a global group.
Then why don't you add the group from domain1 to the group in domain2?
That's the way cross-domain permissions should be applied: the users in the account domain are members in a global group in the account domain, the global group is a member of the required domain local group(s) in the resource domain, and the domain local groups in the resource domain get the permissions assigned.
Duplicating the group membership of an account domain group in a resource domain is usually not desirable.
Can you provide a bit more background about what it is you want to achieve with this? Are you familiar with AGDLP?
For that to work, the group in domain2 must be a DL group.
Since you have users in your group in domain1, it should be a global group.
Then why don't you add the group from domain1 to the group in domain2?
That's the way cross-domain permissions should be applied: the users in the account domain are members in a global group in the account domain, the global group is a member of the required domain local group(s) in the resource domain, and the domain local groups in the resource domain get the permissions assigned.
Duplicating the group membership of an account domain group in a resource domain is usually not desirable.
ASKER
sorry man.. actually what you wrote earlier will help because this issue is for two domains that are not trusting and you additional comments gave me a minute to think and better look into the issue .. I appreciate your assistance and additional comments on this .
ASKER
Thank you !
ASKER
That is slick !! and worked ..
but I forgot to mention .. I can make changes to Domain2 with an account from Domain1 as long as I use the Quest cmdlets
Are you able to create one with those ? if not , no problem but figure I check ... or I can spawn this to another question if you like.