The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.
How to find duplicates users in Active Directory
Hello All,
I need a command to query duplicate users in my AD.
Could you help me?
I need a command to query duplicate users in my AD.
Could you help me?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Since there's no such thing as duplicate users in Active Directory, you're going to have to be more specific in what you're looking for.
Agree with Footech - you can't have duplicate users. So what EXACTLY is your issue? How does it manifest itself?
My boss indicates that the SID of the users is the only one that is not possible to duplicate, but he needs to find in our AD if there are duplicate users, users with the same SAMACCOUNTNAME
Your boss is wrong.
SamAccountName is enforced unique within each domain in a forest (it can duplicate across domains though). objectGUID is enforced unique across the forest. userPrincipalName is enforced unique across the forest.
It leaves you stil needing to define duplicate I'm afraid.
Chris
SamAccountName is enforced unique within each domain in a forest (it can duplicate across domains though). objectGUID is enforced unique across the forest. userPrincipalName is enforced unique across the forest.
It leaves you stil needing to define duplicate I'm afraid.
Chris
So you don't have to take my word for it:
https://blogs.msdn.microsoft.com/openspecification/2009/07/10/understanding-unique-attributes-in-active-directory/
https://blogs.msdn.microsoft.com/openspecification/2009/07/10/understanding-unique-attributes-in-active-directory/
Agree with CHris - you cannot have multiple accounts. The CLOSEST you can come is giving someone the same first name and last name, but even then, they cannot be in the same OU. Try it. Try to create a new account using an existing user name. You CAN'T!
If you'd like to humour your boss, that's fine. But you may need to give an indication of directory size unless you want to hopelessly overrun the memory on your PC. For a few hundred, even a thousand or so users, the snippet I posted above works. Adjusted a little here:
SamAccountName can be replaced by any attribute name, but you will also need to ask Get-ADUser to get the attribute. For example, duplication based on the description attribute (no idea why anyone would care about that, but it serves as an example):
Chris
Get-ADUser -Filter * |
Group-Object SamAccountName -NoElement |
Where-Object Count -gt 1 |
Export-Csv DuplicateSamAccountName.csv -NoTypeInformation
SamAccountName can be replaced by any attribute name, but you will also need to ask Get-ADUser to get the attribute. For example, duplication based on the description attribute (no idea why anyone would care about that, but it serves as an example):
Get-ADUser -Filter * -Properties Description |
Group-Object Description -NoElement |
Where-Object Count -gt 1 |
Export-Csv DuplicateDescription.csv -NoTypeInformation
Chris
Hi Jose,
Though I agree with the opinion of other experts that it is highly likely to have duplicate ID, I have come across situations where the attributes of one object are duplicated with others during the Office 365 (DirSync) assesment.
You can run this tool (IDFiX) from any of domain join machine and it would give you the list of possibly all the duplicate IDs. you can open the csv and apply filters for duplicate IDs and what attribute is duplicated (SAMAccount, Email-Address etc.)
https://www.microsoft.com/en-in/download/details.aspx?id=36832
Regards,
Aanand Singh Karki
Though I agree with the opinion of other experts that it is highly likely to have duplicate ID, I have come across situations where the attributes of one object are duplicated with others during the Office 365 (DirSync) assesment.
You can run this tool (IDFiX) from any of domain join machine and it would give you the list of possibly all the duplicate IDs. you can open the csv and apply filters for duplicate IDs and what attribute is duplicated (SAMAccount, Email-Address etc.)
https://www.microsoft.com/en-in/download/details.aspx?id=36832
Regards,
Aanand Singh Karki
You need to determine what your boss is really after, otherwise everyone is just going to throw a bunch of information at you.
The SamAccountName must be unique for a lot of reasons, AD won't let you create a duplicate as it will throw a constraint violation when it attempts to index it.
The UPN (Universal Principal Name/LogonID) contrary to what is documented, can accept a duplicate, so maybe that is what your boss is after. It will create problems if you have a duplicate, but AD does not care about the contents.
The name (CN=), ie the first part of the RDN, also does not need to be unique, provided that the 'duplicate' is in a different AD container. So you can have two 'Jane.Doe' accounts. The first and last name, display name, and everything else is irrelevant.
If you are good with Microsoft Access, you can dump any directory fields you are interested into a table and quickly let it find the dups; Excel might have a similar feature without resorting to Powershell.
I'm afraid you need more clarification from your boss...
The SamAccountName must be unique for a lot of reasons, AD won't let you create a duplicate as it will throw a constraint violation when it attempts to index it.
The UPN (Universal Principal Name/LogonID) contrary to what is documented, can accept a duplicate, so maybe that is what your boss is after. It will create problems if you have a duplicate, but AD does not care about the contents.
The name (CN=), ie the first part of the RDN, also does not need to be unique, provided that the 'duplicate' is in a different AD container. So you can have two 'Jane.Doe' accounts. The first and last name, display name, and everything else is irrelevant.
If you are good with Microsoft Access, you can dump any directory fields you are interested into a table and quickly let it find the dups; Excel might have a similar feature without resorting to Powershell.
I'm afraid you need more clarification from your boss...
Thank you all.
My boss insists that duplicate cases of USERID may occur, to verify if there are such cases. Our AD is about 5000 users.
With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
The second command did not give me any results for the SAMACCOUNTNAME.
The third command as u indicate brings me the duplicate descriptions.
I must meet with my boss to clarify what information he needs exactly.
Thanks for the participation
My boss insists that duplicate cases of USERID may occur, to verify if there are such cases. Our AD is about 5000 users.
With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
The second command did not give me any results for the SAMACCOUNTNAME.
The third command as u indicate brings me the duplicate descriptions.
I must meet with my boss to clarify what information he needs exactly.
Thanks for the participation
Clarify what the 'UserID' is, as there are lots of attributes in the directory that can be considered a 'UserID'.
Demonstrate what happens when you create a second account using the same user name. Try it. Try it in one OU and try it in two separate OUs.
You should define what you mean by 'User Name', as that can mean different things to different people.
> With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
That's fine, expected for a directory of any real size. As long as Distinguished Name differs (and they will by virtue of having different OUs), relative distinguished name can duplicate.
Anyway, do clarify what is considered to be UserID, or try the same process for the "userPrincipalName" attribute and see where that leaves you.
Another possibility, I suppose, might be the mail attribute. That is, if that's being used as a user ID for any services using LDAP authentication. The mail attribute is unconstrained, a duplicate there would be a trivial thing to create.
Let's twist the snippet that looks at SamAccountName, absence of a thing is sometimes not enough to make people feel happy. Removing the filter will show that each user name in the list exists once only. Sorting it into alphabetical order would help you visually confirm this is so.
That's fine, expected for a directory of any real size. As long as Distinguished Name differs (and they will by virtue of having different OUs), relative distinguished name can duplicate.
Anyway, do clarify what is considered to be UserID, or try the same process for the "userPrincipalName" attribute and see where that leaves you.
Another possibility, I suppose, might be the mail attribute. That is, if that's being used as a user ID for any services using LDAP authentication. The mail attribute is unconstrained, a duplicate there would be a trivial thing to create.
Let's twist the snippet that looks at SamAccountName, absence of a thing is sometimes not enough to make people feel happy. Removing the filter will show that each user name in the list exists once only. Sorting it into alphabetical order would help you visually confirm this is so.
Get-ADUser -Filter * |
Group-Object SamAccountName -NoElement |
Sort-Object Name |
Export-Csv DuplicateSamAccountName.csv -NoTypeInformation
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Outlook 2013 Par… 139 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
What do you consider to be a duplicate?
A very quick way, if the directory is small, is to use Group-Object. For example:
Open in new window
Anything left in the list is a duplicate (based on the object name). Attributes like SamAccountName are enforced unique, so much of this depends on how you define duplication.Finally, if the directory is large, numbering in thousands, you really need a better way than the snippet above.
Chris