Hi guys,
Here's my issue: I have a user in a trusted domain (DomA) that I'm trying to add to a (domain local) group in my domain (DomB).  DomB trusts DomA (one-way trust)
[DomA and DomB are actually in two seperate forests, but the trust is effective nontheless]

$usr = [ADSI]("LDAP://CN=UserA,OU=MyUsers,DC=DomA,DC=COM")
$grp = [ADSI]("LDAP://CN=GroupA,OU=MyGroups,DC=DomB,DC=COM")
$grp.Add("LDAP://" + $usr.distinguishedName) ; $grp.SetInfo()

On that last line I am getting the following error: "Exception calling "Add" with "1" argument(s): "There is no such object on the server. (Exception from HRESULT: 0x800720)"
This method works fine for users from the same domain. 
In contrast, I've been able to add the user to the group by using the trusty old WinNT provider:

$grp.Add("WinNT://DomA/UserA") ; $grp.SetInfo()

So either I'm doing something wrong utilizing the LDAP provider, or it has a limitation of some sort with this, or I am supposed to use another method (i.e. Invoke - which I tried, to no avail). - I vote for the former, as I'm not that savvy with Powershell. Not yet, anyway.
Can you point me to the correct usage of the LDAP provider in this case to add the user to the group?

BTW, this is with Powersheel v.1.0 (on WinSvr 2003). And we do not use the Quest AD (QAD...) ActiveRoles management pack, so those are of no use to me here. 

Any help with this would be appreciated.

Thanks,
Gal.

OK, so after some Google/msdn/technet/soul searching, I found the answer (in bits and pieces), and so decided to post it here, for the future:

Users from trusted domains are represented as ForeignSecurityPrincipals (FSPs) in the domain we're operating in. These FSPs contain only the user's sID - in the distinguishedName, the Common name, etc.  This is because the conversion from sID to a name is done in the domain where that account resides, and the trusting domain (where we're at) has no knowledge of it.. As such, what we need to do is find the account's sID.
Now, you'd think that the obvious property would be $acct.objectSid... but no...  the trick is to use the old NTAuthority to do the conversion:

$acct = [System.Security.Principal.NTAccount]($Usr.sAMAccountName)
$acctsID = $acct.Translate([System.Security.Principal.SecurityIdentifier])

Now that you have the account's sID, all that's left is to add it to the group in the trusting domain:
$grp.add($acctsID).  Right?

hmmm... not quite... turns out that to add the account with the sID form, it needs to be formatted as follows:
$grp.add("ldap://<SID=" + $acctsID.Value + ">")

Last, if you have a group populated with FSPs and you want to find out who these users are (programmatically, of course), then you can use this simple function, providing it the group member's distinguishedName property, and the domain where the account actually resides. What you will get back is the username in the form Domain\UserName.

function getAcctNameFromsID($AcctDN,$Dom) {
  $Acct = [adsi]("ldap://$AcctDN")
  $AcctSid = $Acct.cn
  $AcctSidNT = [System.Security.Principal.SecurityIdentifier]($AcctSid.ToString())
  $UserName = $AcctSidNT.Translate([System.Security.Principal.NTAccount])
  if (!($UserName -eq $null)) {return($UserName)} else {return "Not Found"}
}

Gal.

Btw, If this can be done more easily using the Quest -qAD- cmdlets, feel free to post it here as an addendum. I have not seen any postings of it, and we do not use qAD in our environment.

Great Geex.  I think you helped me stumble on a fix for my problem.  I'm trying to remove a user in DomA from a group in DomB.  I get a similar error as you:

Remove-ADGroupMember : Cannot find an object with identity: 'CN=Ove\,Cameron,OU=Users,OU=location,DC=mybusinessunit,DC=example,DC=com' under: 'DC=differentbusinessunit,DC=example,DC=com'.
At line:1 char:21
+ Remove-ADGroupMember <<<<  -Identity $group.ObjectGUID -Members $myname.distinguishedName -Credential $myAdminCreds.differentbusinessunit -server differentbusinessunit.example.com
    + CategoryInfo          : ObjectNotFound: (CN=Ove\, Camero...,DC=example,DC=com:ADPrincipal) [Remove-ADGroupMember], ADIdentityNotFoundException
    + FullyQualifiedErrorId :  SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember

2 Greex: thanx a lot for this post !! You helped to fix my problem too !

I changed your code to use Quest -qAD- cmdlets:

$cred = Get-Credential
$user = Get-QADUser "domain1\user01" -service 'domain1' -Credential $cred

Connect-QADService -Service 'domain2'
Add-QADGroupMember -Identity "domain2 group name" -Member $user.Sid

#Im starting this code on domain2 workstation