How to find duplicates users in Active Directory

Hello All,

I need a command to query duplicate users in my AD.

Could you help me?
Jose ColmenaresAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
How big is the directory (number of objects)?

What do you consider to be a duplicate?

A very quick way, if the directory is small, is to use Group-Object. For example:
Get-ADUser -Filter * | Group-Object Name | Where-Object Count -gt 1

Open in new window

Anything left in the list is a duplicate (based on the object name). Attributes like SamAccountName are enforced unique, so much of this depends on how you define duplication.

Finally, if the directory is large, numbering in thousands, you really need a better way than the snippet above.

Chris
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
footechCommented:
Since there's no such thing as duplicate users in Active Directory, you're going to have to be more specific in what you're looking for.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Agree with Footech - you can't have duplicate users.  So what EXACTLY is your issue?  How does it manifest itself?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jose ColmenaresAuthor Commented:
My boss indicates that the SID of the users is the only one that is not possible to duplicate, but he needs to find in our AD if there are duplicate users, users with the same SAMACCOUNTNAME
0
Chris DentPowerShell DeveloperCommented:
Your boss is wrong.

SamAccountName is enforced unique within each domain in a forest (it can duplicate across domains though). objectGUID is enforced unique across the forest. userPrincipalName is enforced unique across the forest.

It leaves you stil needing to define duplicate I'm afraid.

Chris
1
Chris DentPowerShell DeveloperCommented:
1
Lee W, MVPTechnology and Business Process AdvisorCommented:
Agree with CHris - you cannot have multiple accounts.  The CLOSEST you can come is giving someone the same first name and last name, but even then, they cannot be in the same OU.  Try it.  Try to create a new account using an existing user name.  You CAN'T!
0
Chris DentPowerShell DeveloperCommented:
If you'd like to humour your boss, that's fine. But you may need to give an indication of directory size unless you want to hopelessly overrun the memory on your PC. For a few hundred, even a thousand or so users, the snippet I posted above works. Adjusted a little here:
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

If it's multiples of 1000 it's likely to need something a little more refined than that.

SamAccountName can be replaced by any attribute name, but you will also need to ask Get-ADUser to get the attribute. For example, duplication based on the description attribute (no idea why anyone would care about that, but it serves as an example):
Get-ADUser -Filter * -Properties Description |
    Group-Object Description -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateDescription.csv -NoTypeInformation

Open in new window

Queries like this, where the majority of the heavy lifting is client-side, are best run from a workstation with the RSAT package installed (specifically the AD PowerShell tools). The AD, of course, will still be taking get of the LDAP query (behind the scenes).

Chris
1
Chris DentPowerShell DeveloperCommented:
Sleepy, "The DC will still be taking care of the LDAP query".
0
Aanand Singh KarkiAssociate ConsultantCommented:
Hi Jose,

Though I agree with the opinion of other experts that it is highly likely to have duplicate ID, I have come across situations where the attributes of one object are duplicated with others during the Office 365 (DirSync) assesment.

You can run this tool (IDFiX) from any of domain join machine and it would give you the list of possibly all the duplicate IDs. you can open the csv and apply filters for duplicate IDs and what attribute is duplicated (SAMAccount, Email-Address etc.)

https://www.microsoft.com/en-in/download/details.aspx?id=36832

Regards,
Aanand Singh Karki
0
Kevin StanushApplication DeveloperCommented:
You need to determine what your boss is really after, otherwise everyone is just going to throw a bunch of information at you.  

The SamAccountName must be unique for a lot of reasons, AD won't let you create a duplicate as it will throw a constraint violation when it attempts to index it.  

The UPN (Universal Principal Name/LogonID) contrary to what is documented, can accept a duplicate, so maybe that is what your boss is after.  It will create problems if you have a duplicate, but AD does not care about the contents.  

The name (CN=), ie the first part of the RDN, also does not need to be unique, provided that the 'duplicate' is in a different AD container.  So you can have two 'Jane.Doe' accounts.  The first and last name, display name, and everything else is irrelevant.

If you are good with Microsoft Access, you can dump any directory fields you are interested into a table and quickly let it find the dups; Excel might have a similar feature without resorting to Powershell.

I'm afraid you need more clarification from your boss...
0
Jose ColmenaresAuthor Commented:
Thank you all.

My boss insists that duplicate cases of USERID may occur, to verify if there are such cases. Our AD is about 5000 users.

With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
The second command did not give me any results for the SAMACCOUNTNAME.
The third command as u indicate brings me the duplicate descriptions.

I must meet with my boss to clarify what information he needs exactly.
Thanks for the participation
0
Kevin StanushApplication DeveloperCommented:
Clarify what the 'UserID' is, as there are lots of attributes in the directory that can be considered a 'UserID'.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Demonstrate what happens when you create a second account using the same user name.  Try it.  Try it in one OU and try it in two separate OUs.
0
Kevin StanushApplication DeveloperCommented:
You should define what you mean by 'User Name', as that can mean different things to different people.
0
Chris DentPowerShell DeveloperCommented:
> With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.

That's fine, expected for a directory of any real size. As long as Distinguished Name differs (and they will by virtue of having different OUs), relative distinguished name can duplicate.

Anyway, do clarify what is considered to be UserID, or try the same process for the "userPrincipalName" attribute and see where that leaves you.

Another possibility, I suppose, might be the mail attribute. That is, if that's being used as a user ID for any services using LDAP authentication. The mail attribute is unconstrained, a duplicate there would be a trivial thing to create.

Let's twist the snippet that looks at SamAccountName, absence of a thing is sometimes not enough to make people feel happy. Removing the filter will show that each user name in the list exists once only. Sorting it into alphabetical order would help you visually confirm this is so.
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Sort-Object Name |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

Chris
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.