Tag Archive: groups

Adding/removing members from another forest or domain to groups in Active Directory:


Example of powershell script:
Write-Host “Loading the Quest.ActiveRoles.ADManagement powershell snap-in”
if ( (Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null )
Add-PsSnapin Quest.ActiveRoles.ADManagement

Write-Host “”
$rootOU = “DC=mydomain,DC=local”
$date = Get-Date -Format ddMMyyyy
$log = “.\Update-CVS-GroupMembership-$date.txt”
$startscript = Get-Date
$totalgrp = 0
$nceoldgrp = 0
$changes = 0
$KO = 0
Write-Host “”
Write-Host “————————————————————————————————”
Write-Host “”
Get-QADGroup -SearchRoot $rootOU | %{
$members = $null
$groupname = $_.Samaccountname
$members = Get-QADGroupMember -Identity $_.DN -Type group -Name MII_*
if ($members -ne $null) {
foreach ($member in $members) {
$GroupToReplace = $member.Samaccountname
$GroupToFind    = $GroupToReplace -replace (“MII_”,””)
$GroupExist = $null

$GroupExist = Get-QADGroup -SearchRoot “OU=Groups,DC=mydomain,DC=local” -SearchScope OneLevel -SamAccountName $GroupToFind

If ($GroupExist -ne $null)
Add-QADGroupMember -Identity $groupname -Member $GroupExist.DN -proxy
# Remove-QADGroupMember -Identity $groupname -Member $member.DN -proxy
Write-Output “Modification – $GroupToReplace has been replaced by $GroupToFind in the $groupname” | Out-File $log -Append
Write-Output “Error – $groupname unchanged… $GroupToReplace has not a matching group as $GroupToFind”  | Out-File $log -Append
Write-Host “”
Write-Host “–STATISTICS–” -BackgroundColor Blue -ForegroundColor White
Write-host “TOTAL “$totalgrp” total groups parsed” -BackgroundColor Yellow -ForegroundColor Black
Write-host “TOTAL “$nceoldgrp” total old MII_xxx groups found” -BackgroundColor Yellow -ForegroundColor Black
Write-host “TOTAL “$changes” total groups changed successfully” -BackgroundColor Yellow -ForegroundColor Black
Write-host “TOTAL “$KO” total groups with no matching” -BackgroundColor Yellow -ForegroundColor Black
Write-Host “”
#Start-Sleep 5
Write-Host “——————-”
Write-Host “– End of Script –”
Write-Host “——————-”
Write-Host “”
$stopscript = Get-Date
Write-Host “Has started at” $startscript -BackgroundColor Gray -ForegroundColor Black
Write-Host “Had finished at” $stopscript -BackgroundColor Gray -ForegroundColor Black
Write-Host “TIME SPENT:” (New-TimeSpan -Start $startscript -End $stopscript).hours “Hours” (New-TimeSpan -Start $startscript -End $stopscript).minutes “Minutes” (New-TimeSpan -Start $startscript -End $stopscript).seconds “Seconds” -BackgroundColor Green -ForegroundColor Black
Write-Host “”
Write-Host “”



Today I’m gonna explain – shortly – what forward and backlinks in AD are and how group membership is stored in AD. Once we know the tricks behind that, we also know how other attributes like “managed-By” internally work as they use the same techniques.

Let’s pretend we have a user in our domain and this user is a member of a group. What these two connects is called a “link”, we’d call it ”membership” for this particular case. The link between those two objects is created based on something called a “distinguished name tag” (DNT) which basically is something like a row (with a unique number) in every domain controller’s database. The DNT is unique for each object in a DC’s database – pretty much like an ID, but unique for every single DC. The DNT doesn’t get replicated and it doesn’t get exposed somewhere in the UI. It’s just a database thing to make searching and referencing a lot faster. Storing an actual address where to “ring” a bell is faster than writing down the number of the telephone book the person you want to reach is written on (okay, that comparison sucked).

Group membership with the “member” attribute for groups and the corresponding “memberOf” attribute on the user side is stored using these DNTs. Groups store their members using their database-unique DNT (referencing the row, the object is saved at). This is called the forward link. At the other end, users store their group memberships just the other way round, tracking all group’s DNTs they are member of. That’s called the backlink.

There are a number of linked attributes in AD, member/memberOf is only one example. These linked attributes are identified by a linkID, stored in the so-called linkTable in AD. From there, they get, once queried or needed, computed. The linkID of a forward-link is always even whereas a backlink’s linkID is always odd. By this relationship (forward linkID + 1 = back linkID), the partner link can always be found and identified (more on that here).

Not going too deep into the technical details, there’s another thing we need to know when looking at group membership and forward- and backlinks: forward-links are writable and backlinks are read-only. This means that only forward-links changed and the corresponding backlinks are computed automatically. That also means that only forward-links are replicated between DCs whereas backlinks are maintained by the DCs after that.


One questions left (if you kept up and you read carefully): as stated earlier, the DNT is only a local database row number (sort of) and these DNTs are used to identify the members of a group – how does that get replicated? Good questions – I happened to forget the correct answer so I went to the guys at the activedir.org mailing list and they were so friendly to help me. So thanks to Don and joe, I now know (and after reading this – you too) that for replication, DNTs are calculated into a form that contains the object’s SID, GUID and DN string so the DC at the other end can create it’s own DNT entry out of it to store it locally.

We now know that group membership isn’t just a list of DNs that refer to the actual objects (that would be boring, wouldn’t it?) – it’s more a list of row addresses that are stored in the local database that are linked back and forth so referencing is easy. To save replication traffic and trouble, only the forward link, one of those links, is saved – the second can be computed.