The nightmare of a multinational enterprise IT administrator: a murder caused by a cross-domain adding member operation
The MBTI personality test that administrators face every day involves hundreds of servers and complex permission systems. A seemingly simple cross-domain group addition operation may take a whole week. Marco's experience is not an isolated case, it is a common pain point that occurs every day in the IT management of multinational enterprises.
$Group = 'TestGroup'
$GC = "GC://DC=test1,DC=test,DC=local"
$Server = 'CN=Computer3,OU=Server,DC=test1,DC=test,DC=local'
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($GC)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = "(&(objectclass=group)(name=$Group))"
$objSearcher.PropertiesToLoad.Add("member")
$Result = $objSearcher.FindAll()
$Test = $Result.GetDirectoryEntry()
$Test.Properties.Item("member")
$Test.Properties["member"].Add($Server)
$Test.Properties.Item("member")
#$Test.CommitChanges()
#$Test.SetInfo()
0
CN=Computer1,OU=Server,DC=test1,DC=test,DC=local
CN=Computer2,OU=Server,DC=test1,DC=test,DC=local
2
CN=Computer1,OU=Server,DC=test1,DC=test,DC=local
CN=Computer2,OU=Server,DC=test1,DC=test,DC=local
CN=Computer3,OU=Server,DC=test1,DC=test,DC=local
Exception calling "CommitChanges" with "0" argument(s): "The server is unwilling to process the request.
"
At line:18 char:1
+ $Test.CommitChanges()
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Pitfalls of cross-domain trust
In a large multinational company, it is normal to build trust relationships between different domains. The company where Marco works obviously has multiple domains with trust relationships, which makes him naturally feel that cross-domain operations should be without hindrance.
During the actual operation, I found that even if a domain trust was established, the PowerShell script would still report an error when executing the Add – ADGroupMember command. This trust relationship may work normally in the case of a GUI interface, but when it comes to automated command line operations, it contains unknown subtleties and hidden mysteries.
Global catalog misunderstandings
$groupSamName = 'TestGroup'
$domain = "LDAP://DC=test1,DC=test,DC=local"
$computerPath = 'LDAP://cn=computer1,ou=computers,dc=test ....'
# find the group
$searcher = [adsisearcher]"(samaccountname=$groupSamName)"
$searcher.SearchRoot = [adsi]$domain
$result = $searcher.FindOne()
$group = $result.GetDirectoryEntry()
$group.Add($computerPath)
Many administrators mistakenly believe that all operations can be completed as long as there is a domain controller. Marco thought so at first. He had access rights to multiple domain controllers, but he ignored the key role of the global catalog server in cross-domain queries.
Some attributes of all objects in the forest are stored in the GC server. When searching for users or groups across domains, if the correct MBTI personality test for the GC server is not specified, the search operation will fail. This is also the reason why the script he wrote created hidden dangers when performing the search operation.
Naming context confusion
The property 'SearchRoot' cannot be found on this object. Verify that the property exists and can be set.
At line:9 char:1
+ $searcher.SearchRoot = [adsi]$domain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
Method invocation failed because [System.String] does not contain a method named 'FindOne'.
At line:10 char:1
+ $result = $searcher.FindOne()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
Exception calling "Add" with "1" argument(s): "The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)"
At line:13 char:1
+ $group.Add($computerPath)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
The AD command in PowerShell has extremely strict requirements for the object identifier 16personalities test . In Marco's script, he uses the display name of the group, not the distinguished name or SID. In this way, in a single-domain environment, it may be possible to pass smoothly. However, in a cross-domain scenario, it will almost certainly fail.
In an enterprise environment, there may be groups with the same name in different domains. It is impossible to accurately locate the target just by relying on the name. The correct approach is to use the distinguished name DN or security identifier SID to uniquely identify the object.
Blind spots in permission delegation
Even if you have administrator rights for both domains, this does not mean that you can directly perform cross-domain operations. The situation encountered by Marco is very typical. His account has permissions in both the source domain and the target domain, but it failed due to the conversion of the authentication context during the operation.
The correct approach is to use Get-Credential to obtain the credentials of the two domains respectively, or to explicitly limit the credential information of the target domain when creating a session. A single authentication cannot accomplish all operations across domain boundaries.
IsPublic IsSerial Name BaseType
True False DirectoryEntry System.ComponentModel.Component
Differences between command line and GUI
Name Value
PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.34003
BuildVersion 6.3.9600.16394
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
Initially, Marco tested the script in PowerShell ISE, and the result was a failure. Then he turned to the command line, but still encountered problems. This shows that many administrators rely too much on graphical interfaces and do not understand enough how command line tools work.
GUI tools often perform authentication, server search, and object format conversion on their own in the background. However, the command line requires manual handling of all these complicated details. As long as there is an error in any link, the entire operation will fail.
Practical solutions
The suggestions that jr sent to Marco are actually standard enterprise-level solutions. It first uses the global catalog to find the distinguished name of the object, then builds the complete LDAP path, and finally performs the add action with the correct credentials.
Entering the current period of 2026, Microsoft has released more powerful cross-domain management tools, but its core principles remain the same. For multinational enterprises, it is recommended to deploy a suitable identity management platform or use Azure AD Connect to achieve unified management and control in the cloud.
The property 'SearchRoot' cannot be found on this object. Verify that the property exists and can be set.
At line:8 char:1
+ $searcher.SearchRoot=[adsi]'LDAP://DC=test1,DC=test,DC=local'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
What is the most difficult failure you have encountered when dealing with cross-domain permissions management? You are welcome to share your own pitfall experience in the comment area. You may wish to like it so that more peers can see this article and save it for future reference.
