itsmevic
asked on
Active Directory: Script that Compares the Security Groups that are assigned to two User Accounts
I was wondering if someone had an LDAP query or script that can compare the security groups that two user accounts in Active Directory belong to? Having them be able to provide a side-by-side comparison would be ideal in this case. Thank you kindly for your help!
ASKER
Lets say I want to see user1 and the security groups it belongs to. I also want to see user2 and the security groups it belongs to. I'd now like to see this side-by-side so I can determine if they belong to the same groups or not. Hopefully, that makes better sense.
Returns custom objects; output can be piped to Export-Csv, Out-GridView, Format-Table, ...
$user1 = 'john.doe'
$user2 = 'jane.doe'
Import-Module ActiveDirectory
$reference = Get-ADPrincipalGroupMembership -Identity $user1
$difference = Get-ADPrincipalGroupMembership -Identity $user2
Compare-Object -ReferenceObject $reference -DifferenceObject $difference -IncludeEqual -Property DistinguishedName -PassThru |
Select-Object -Property `
Name,
@{n=$user1; e={If ('==', '<=' -contains $_.SideIndicator) {'X'} Else {'-'}}},
@{n=$user2; e={If ('==', '=>' -contains $_.SideIndicator) {'X'} Else {'-'}}},
DistinguishedName |
Sort-Object -Property Name, DistinguishedName
ASKER
Hi oBdA! Thank you for your response. I'm starting the PowerShell ISE as Admin, then copy and paste the below code into shell. I added the "Get-Process" method to export as a CSV to my local drive. When I execute the code, it runs without issues. And it eventually produces a beautiful on-screen side-by-side readout of exactly what I am needing. When I try to pipe the output out to a CSV it is producing all types of garble (I've also used the -notype and -encoding triggers but that did not help). It appears to be a bunch of data that pertains to my local system. How can I clean this up to export exactly what it's producing on-screen?
$user1 = 'AD_Login_Name1''
$user2 = 'AD_Login_Name2''
Import-Module ActiveDirectory
$reference = Get-ADPrincipalGroupMembership -Identity $user1
$difference = Get-ADPrincipalGroupMembership -Identity $user2
Compare-Object -ReferenceObject $reference -DifferenceObject $difference -IncludeEqual -Property DistinguishedName -PassThru |
Select-Object -Property `
Name,
@{n=$user1; e={If ('==', '<=' -contains $_.SideIndicator) {'X'} Else {'-'}}},
@{n=$user2; e={If ('==', '=>' -contains $_.SideIndicator) {'X'} Else {'-'}}},
DistinguishedName |
Sort-Object -Property Name, DistinguishedName
Get-Process | Export-Csv c:\Accounts.csv
$user1 = 'AD_Login_Name1''
$user2 = 'AD_Login_Name2''
Import-Module ActiveDirectory
$reference = Get-ADPrincipalGroupMembership -Identity $user1
$difference = Get-ADPrincipalGroupMembership -Identity $user2
Compare-Object -ReferenceObject $reference -DifferenceObject $difference -IncludeEqual -Property DistinguishedName -PassThru |
Select-Object -Property `
Name,
@{n=$user1; e={If ('==', '<=' -contains $_.SideIndicator) {'X'} Else {'-'}}},
@{n=$user2; e={If ('==', '=>' -contains $_.SideIndicator) {'X'} Else {'-'}}},
DistinguishedName |
Sort-Object -Property Name, DistinguishedName
Get-Process | Export-Csv c:\Accounts.csv
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can get a per user listing and the group's they are members of.
You can further iterate to see which groups the group's are members of, nested groups.
There are times that multi-group membership can limit the rights the user has when one group is restricted.....