Avatar of Jose Colmenares
Jose Colmenares
Flag for Chile asked on

How to find duplicates users in Active Directory

Hello All,

I need a command to query duplicate users in my AD.

Could you help me?
Active DirectoryPowershell

Avatar of undefined
Last Comment
RadioActiveLamb

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Chris Dent

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
footech

Since there's no such thing as duplicate users in Active Directory, you're going to have to be more specific in what you're looking for.
Lee W, MVP

Agree with Footech - you can't have duplicate users.  So what EXACTLY is your issue?  How does it manifest itself?
Jose Colmenares

ASKER
My boss indicates that the SID of the users is the only one that is not possible to duplicate, but he needs to find in our AD if there are duplicate users, users with the same SAMACCOUNTNAME
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Chris Dent

Your boss is wrong.

SamAccountName is enforced unique within each domain in a forest (it can duplicate across domains though). objectGUID is enforced unique across the forest. userPrincipalName is enforced unique across the forest.

It leaves you stil needing to define duplicate I'm afraid.

Chris
Chris Dent

Lee W, MVP

Agree with CHris - you cannot have multiple accounts.  The CLOSEST you can come is giving someone the same first name and last name, but even then, they cannot be in the same OU.  Try it.  Try to create a new account using an existing user name.  You CAN'T!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Chris Dent

If you'd like to humour your boss, that's fine. But you may need to give an indication of directory size unless you want to hopelessly overrun the memory on your PC. For a few hundred, even a thousand or so users, the snippet I posted above works. Adjusted a little here:
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

If it's multiples of 1000 it's likely to need something a little more refined than that.

SamAccountName can be replaced by any attribute name, but you will also need to ask Get-ADUser to get the attribute. For example, duplication based on the description attribute (no idea why anyone would care about that, but it serves as an example):
Get-ADUser -Filter * -Properties Description |
    Group-Object Description -NoElement |
    Where-Object Count -gt 1 |
    Export-Csv DuplicateDescription.csv -NoTypeInformation

Open in new window

Queries like this, where the majority of the heavy lifting is client-side, are best run from a workstation with the RSAT package installed (specifically the AD PowerShell tools). The AD, of course, will still be taking get of the LDAP query (behind the scenes).

Chris
Chris Dent

Sleepy, "The DC will still be taking care of the LDAP query".
Aanand Singh Karki

Hi Jose,

Though I agree with the opinion of other experts that it is highly likely to have duplicate ID, I have come across situations where the attributes of one object are duplicated with others during the Office 365 (DirSync) assesment.

You can run this tool (IDFiX) from any of domain join machine and it would give you the list of possibly all the duplicate IDs. you can open the csv and apply filters for duplicate IDs and what attribute is duplicated (SAMAccount, Email-Address etc.)

https://www.microsoft.com/en-in/download/details.aspx?id=36832

Regards,
Aanand Singh Karki
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Kevin Stanush

You need to determine what your boss is really after, otherwise everyone is just going to throw a bunch of information at you.  

The SamAccountName must be unique for a lot of reasons, AD won't let you create a duplicate as it will throw a constraint violation when it attempts to index it.  

The UPN (Universal Principal Name/LogonID) contrary to what is documented, can accept a duplicate, so maybe that is what your boss is after.  It will create problems if you have a duplicate, but AD does not care about the contents.  

The name (CN=), ie the first part of the RDN, also does not need to be unique, provided that the 'duplicate' is in a different AD container.  So you can have two 'Jane.Doe' accounts.  The first and last name, display name, and everything else is irrelevant.

If you are good with Microsoft Access, you can dump any directory fields you are interested into a table and quickly let it find the dups; Excel might have a similar feature without resorting to Powershell.

I'm afraid you need more clarification from your boss...
Jose Colmenares

ASKER
Thank you all.

My boss insists that duplicate cases of USERID may occur, to verify if there are such cases. Our AD is about 5000 users.

With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.
The second command did not give me any results for the SAMACCOUNTNAME.
The third command as u indicate brings me the duplicate descriptions.

I must meet with my boss to clarify what information he needs exactly.
Thanks for the participation
Kevin Stanush

Clarify what the 'UserID' is, as there are lots of attributes in the directory that can be considered a 'UserID'.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Lee W, MVP

Demonstrate what happens when you create a second account using the same user name.  Try it.  Try it in one OU and try it in two separate OUs.
Kevin Stanush

You should define what you mean by 'User Name', as that can mean different things to different people.
Chris Dent

> With the first command sent by Chris manage the query and It indicate the users with indentical names but located in different OU.

That's fine, expected for a directory of any real size. As long as Distinguished Name differs (and they will by virtue of having different OUs), relative distinguished name can duplicate.

Anyway, do clarify what is considered to be UserID, or try the same process for the "userPrincipalName" attribute and see where that leaves you.

Another possibility, I suppose, might be the mail attribute. That is, if that's being used as a user ID for any services using LDAP authentication. The mail attribute is unconstrained, a duplicate there would be a trivial thing to create.

Let's twist the snippet that looks at SamAccountName, absence of a thing is sometimes not enough to make people feel happy. Removing the filter will show that each user name in the list exists once only. Sorting it into alphabetical order would help you visually confirm this is so.
Get-ADUser -Filter * |
    Group-Object SamAccountName -NoElement |
    Sort-Object Name |
    Export-Csv DuplicateSamAccountName.csv -NoTypeInformation

Open in new window

Chris
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
RadioActiveLamb

I know this is an old conversation, but I ran across it while looking for a similar solution. There seems to be a glaring "miss", since the question was regarding duplicate accounts in a multi-domain forest. The solutions I see above only pull accounts from a single domain. I use this script to identify duplicate SAMACCOUNTNAME attributes in the entire multi-domain forest, then leave them in the "$dupes" array:
$CSVfile = "$($env:onedrivecommercial)\output\DuplicateSAM.csv"
$users = @()
ForEach ($domain in (get-adforest).domains) {
    $DomObj = Get-ADDomain $domain
    "Querying users in $($DomObj.Name)"
    $users += Get-ADUser -filter * -SearchBase $DomObj.DistinguishedName -Server $DomObj.RIDMaster
}
write-host "Read $($users.count) users. Looking for duplicates..."
$dupes = $users | Group-Object SamAccountName | Where-Object Count -gt 1
write-host "Duplicates found: $($dupes.count)"
$dupes | Export-Csv -Path $CSVfile -NoTypeInformation 

Open in new window