Link to home
Start Free TrialLog in
Avatar of Jose Colmenares
Jose ColmenaresFlag for Chile

asked on

How to find duplicates users in Active Directory

Hello All,

I need a command to query duplicate users in my AD.

Could you help me?
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Since there's no such thing as duplicate users in Active Directory, you're going to have to be more specific in what you're looking for.
Agree with Footech - you can't have duplicate users.  So what EXACTLY is your issue?  How does it manifest itself?
Avatar of Jose Colmenares


My boss indicates that the SID of the users is the only one that is not possible to duplicate, but he needs to find in our AD if there are duplicate users, users with the same SAMACCOUNTNAME
Your boss is wrong.

SamAccountName is enforced unique within each domain in a forest (it can duplicate across domains though). objectGUID is enforced unique across the forest. userPrincipalName is enforced unique across the forest.

It leaves you stil needing to define duplicate I'm afraid.

Agree with CHris - you cannot have multiple accounts.  The CLOSEST you can come is giving someone the same first name and last name, but even then, they cannot be in the same OU.  Try it.  Try to create a new account using an existing user name.  You CAN'T!
If you'd like to humour your boss, that's fine. But you may need to give an indication of directory size unless you want to hopelessly overrun the memory on your PC. For a few hundred, even a thousand or so users, the snippet I posted above works. Adjusted a little here:
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

If it's multiples of 1000 it's likely to need something a little more refined than that.

SamAccountName can be replaced by any attribute name, but you will also need to ask Get-ADUser to get the attribute. For example, duplication based on the description attribute (no idea why anyone would care about that, but it serves as an example):
Get-ADUser -Filter * -Properties Description |
    Group-Object Description -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateDescription.csv -NoTypeInformation

Open in new window

Queries like this, where the majority of the heavy lifting is client-side, are best run from a workstation with the RSAT package installed (specifically the AD PowerShell tools). The AD, of course, will still be taking get of the LDAP query (behind the scenes).

Sleepy, "The DC will still be taking care of the LDAP query".
Hi Jose,

Though I agree with the opinion of other experts that it is highly likely to have duplicate ID, I have come across situations where the attributes of one object are duplicated with others during the Office 365 (DirSync) assesment.

You can run this tool (IDFiX) from any of domain join machine and it would give you the list of possibly all the duplicate IDs. you can open the csv and apply filters for duplicate IDs and what attribute is duplicated (SAMAccount, Email-Address etc.)

Aanand Singh Karki
You need to determine what your boss is really after, otherwise everyone is just going to throw a bunch of information at you.  

The SamAccountName must be unique for a lot of reasons, AD won't let you create a duplicate as it will throw a constraint violation when it attempts to index it.  

The UPN (Universal Principal Name/LogonID) contrary to what is documented, can accept a duplicate, so maybe that is what your boss is after.  It will create problems if you have a duplicate, but AD does not care about the contents.  

The name (CN=), ie the first part of the RDN, also does not need to be unique, provided that the 'duplicate' is in a different AD container.  So you can have two 'Jane.Doe' accounts.  The first and last name, display name, and everything else is irrelevant.

If you are good with Microsoft Access, you can dump any directory fields you are interested into a table and quickly let it find the dups; Excel might have a similar feature without resorting to Powershell.

I'm afraid you need more clarification from your boss...
Thank you all.

My boss insists that duplicate cases of USERID may occur, to verify if there are such cases. Our AD is about 5000 users.

With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
The second command did not give me any results for the SAMACCOUNTNAME.
The third command as u indicate brings me the duplicate descriptions.

I must meet with my boss to clarify what information he needs exactly.
Thanks for the participation
Clarify what the 'UserID' is, as there are lots of attributes in the directory that can be considered a 'UserID'.
Demonstrate what happens when you create a second account using the same user name.  Try it.  Try it in one OU and try it in two separate OUs.
You should define what you mean by 'User Name', as that can mean different things to different people.
> With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.

That's fine, expected for a directory of any real size. As long as Distinguished Name differs (and they will by virtue of having different OUs), relative distinguished name can duplicate.

Anyway, do clarify what is considered to be UserID, or try the same process for the "userPrincipalName" attribute and see where that leaves you.

Another possibility, I suppose, might be the mail attribute. That is, if that's being used as a user ID for any services using LDAP authentication. The mail attribute is unconstrained, a duplicate there would be a trivial thing to create.

Let's twist the snippet that looks at SamAccountName, absence of a thing is sometimes not enough to make people feel happy. Removing the filter will show that each user name in the list exists once only. Sorting it into alphabetical order would help you visually confirm this is so.
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Sort-Object Name |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

I know this is an old conversation, but I ran across it while looking for a similar solution. There seems to be a glaring "miss", since the question was regarding duplicate accounts in a multi-domain forest. The solutions I see above only pull accounts from a single domain. I use this script to identify duplicate SAMACCOUNTNAME attributes in the entire multi-domain forest, then leave them in the "$dupes" array:
$CSVfile = "$($env:onedrivecommercial)\output\DuplicateSAM.csv"
$users = @()
ForEach ($domain in (get-adforest).domains) {
    $DomObj = Get-ADDomain $domain
    "Querying users in $($DomObj.Name)"
    $users += Get-ADUser -filter * -SearchBase $DomObj.DistinguishedName -Server $DomObj.RIDMaster
write-host "Read $($users.count) users. Looking for duplicates..."
$dupes = $users | Group-Object SamAccountName | Where-Object Count -gt 1
write-host "Duplicates found: $($dupes.count)"
$dupes | Export-Csv -Path $CSVfile -NoTypeInformation 

Open in new window