Quickly Compare User’s AD Group Membership in PowerShell

Profile picture for user PaulW

Often I get access requests, especially for new employees, for setting up someone’s network permissions like Dan's in the marketing department.  Dan is new to the Marketing team and his manager wants his account set up like Paul's account.  So, normally, I would do a side by side comparison in ADUC and then fill in the gaps.  That sounds a little tedious.  So, I wrote a quick function to compare groups and output those that are common between each and unique to each.  Here is a sample of the output from the function:

PS C:\> Get-PWADGroupComparison pwetter djohnson
--------------------------------------------------------------------------
[Paul Wetter] and [Dan Johnson] have the following groups in common:
--------------------------------------------------------------------------
Domain Users
SCCM-Technicians
TESTDG1

--------------------------------------------------------------------------
The following groups are unique to [Paul Wetter]:
--------------------------------------------------------------------------
ConfigMgrAgents
ConfigMgrAdmins
DnsAdmins
GPOTest
SCOMAdmins

--------------------------------------------------------------------------
The following groups are unique to [Dan Johnson]:
--------------------------------------------------------------------------
SCCM-MWAdmins
SCCM-Techs-Level-1
PS C:\>

Nothing too fancy but, very useful for finding groups.  And then copying and pasting and applying groups to new user or pasting into a ticketing system.

So, here's the PowerShell fuction.  Enjoy!

function Get-PWADGroupComparison{
    <#
    .SYNOPSIS
        This will compare 2 user accounts in active directory and tell you their group membership and how they are similar and different. 
    .PARAMETER Identity1
        The first user account that you would like to compare. 
    .PARAMETER Identity2
        The second user account that you would like to compare. 
    .EXAMPLE
        Get-PWADGroupComparison -Identity1 BobJ -Identity2 DanO
    .EXAMPLE
        Get-PWADGroupComparison BobJ DanO
    .NOTES
        Author: Paul Wetter
        Website: www.wetterssoure.com
        The script are provided AS IS with no guarantees, no warranties, and they confer no rights.
    #>

    [CmdletBinding()] 
    param (
        [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$True,ValueFromPipeline=$True,
        HelpMessage="The first user account that you would like to compare")] 
        [string]$Identity1,

        [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$False,ValueFromPipeline=$True,
        HelpMessage="The second user account that you would like to compare")] 
        [string]$Identity2
    )

    $user1 = (Get-ADPrincipalGroupMembership -Identity $Identity1 | select Name | Sort-Object -Property Name).Name
    Write-Verbose ($user1 -join "; ")
    $user2 = (Get-ADPrincipalGroupMembership -Identity $Identity2 | select Name | Sort-Object -Property Name).Name
    Write-Verbose ""
    Write-Verbose ($user2 -join "; ")
    $SameGroups = (Compare-Object $user1 $user2 -PassThru -IncludeEqual -ExcludeDifferent)
    Write-Verbose ""
    Write-Verbose ($SameGroups -join "; ")
    $UniqueID1 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "<="})
    Write-Verbose ""
    Write-Verbose ($UniqueID1 -join "; ")
    $UniqueID2 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "=>"})
    Write-Verbose ""
    Write-Verbose ($UniqueID2 -join "; ")
    $ID1Name = (Get-ADUser -Identity $Identity1 | Select Name).Name
    Write-Verbose ""
    Write-Verbose ($ID1Name -join "; ")
    $ID2Name = (Get-ADUser -Identity $Identity2 | Select Name).Name
    Write-Verbose ""
    Write-Verbose ($ID2Name -join "; ")

    Write-Host "--------------------------------------------------------------------------"
    Write-Host "[$ID1Name] and [$ID2Name] have the following groups in common:"
    Write-Host "--------------------------------------------------------------------------"
    $SameGroups
    Write-Host ""

    Write-Host "--------------------------------------------------------------------------"
    Write-Host "The following groups are unique to [$ID1Name]:"
    Write-Host "--------------------------------------------------------------------------"
    $UniqueID1
    Write-Host ""
    Write-Host "--------------------------------------------------------------------------"
    Write-Host "The following groups are unique to [$ID2Name]:"
    Write-Host "--------------------------------------------------------------------------"
    $UniqueID2

}

 

Related Technology

Comments

I (with the help of ChatGPT) wrote a GUI wrapper for script as a base

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing

function Get-PWADGroupComparison {
   <#
   .SYNOPSIS
       This will compare 2 user accounts in active directory and tell you their group membership and how they are similar and different. 
   .PARAMETER Identity1
       The first user account that you would like to compare. 
   .PARAMETER Identity2
       The second user account that you would like to compare. 
   .EXAMPLE
       Get-PWADGroupComparison -Identity1 BobJ -Identity2 DanO
   .EXAMPLE
       Get-PWADGroupComparison BobJ DanO
   .NOTES
       Author: Paul Wetter
       Website: www.wetterssoure.com
       The script is provided AS IS with no guarantees, no warranties, and it confers no rights.
   #>

   [CmdletBinding()] 
   param (
       [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$True,ValueFromPipeline=$True,
       HelpMessage="The first user account that you would like to compare")] 
       [string]$Identity1,

       [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$False,ValueFromPipeline=$True,
       HelpMessage="The second user account that you would like to compare")] 
       [string]$Identity2
   )

   $user1 = (Get-ADPrincipalGroupMembership -Identity $Identity1 | select Name | Sort-Object -Property Name).Name
   Write-Verbose ($user1 -join "; ")
   $user2 = (Get-ADPrincipalGroupMembership -Identity $Identity2 | select Name | Sort-Object -Property Name).Name
   Write-Verbose ""
   Write-Verbose ($user2 -join "; ")
   $SameGroups = (Compare-Object $user1 $user2 -PassThru -IncludeEqual -ExcludeDifferent)
   Write-Verbose ""
   Write-Verbose ($SameGroups -join "; ")
   $UniqueID1 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "<="})
   Write-Verbose ""
   Write-Verbose ($UniqueID1 -join "; ")
   $UniqueID2 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "=>"})
   Write-Verbose ""
   Write-Verbose ($UniqueID2 -join "; ")
   $ID1Name = (Get-ADUser -Identity $Identity1 | Select Name).Name
   Write-Verbose ""
   Write-Verbose ($ID1Name -join "; ")
   $ID2Name = (Get-ADUser -Identity $Identity2 | Select Name).Name
   Write-Verbose ""
   Write-Verbose ($ID2Name -join "; ")

   $Results = @{
       CommonGroups = $SameGroups
       UniqueGroupsUser1 = $UniqueID1
       UniqueGroupsUser2 = $UniqueID2
       Username1 = $ID1Name
       Username2 = $ID2Name
   }

   return $Results
}

# GUI Script
function Show-ComparisonGUI {
   param (
       [hashtable]$ComparisonResults
   )

   $form = New-Object System.Windows.Forms.Form
   $form.Size = New-Object System.Drawing.Size(700, 500)
   $form.Text = "AD User Groups Comparison"

   $label1 = New-Object System.Windows.Forms.Label
   $label1.Location = New-Object System.Drawing.Point(20, 20)
   $label1.Text = "Username 1:"
   $form.Controls.Add($label1)

   $textBox1 = New-Object System.Windows.Forms.TextBox
   $textBox1.Location = New-Object System.Drawing.Point(120, 20)
   $textBox1.Size = New-Object System.Drawing.Size(200, 20)
   $textBox1.Text = $ComparisonResults.Username1
   $form.Controls.Add($textBox1)

   $label2 = New-Object System.Windows.Forms.Label
   $label2.Location = New-Object System.Drawing.Point(20, 60)
   $label2.Text = "Username 2:"
   $form.Controls.Add($label2)

   $textBox2 = New-Object System.Windows.Forms.TextBox
   $textBox2.Location = New-Object System.Drawing.Point(120, 60)
   $textBox2.Size = New-Object System.Drawing.Size(200, 20)
   $textBox2.Text = $ComparisonResults.Username2
   $form.Controls.Add($textBox2)

   $compareButton = New-Object System.Windows.Forms.Button
   $compareButton.Location = New-Object System.Drawing.Point(350, 50)
   $compareButton.Size = New-Object System.Drawing.Size(100, 30)
   $compareButton.Text = "Compare"
   $compareButton.Add_Click({
       $ComparisonResults = Get-PWADGroupComparison -Identity1 $textBox1.Text -Identity2 $textBox2.Text
       Show-ComparisonResults -ComparisonResults $ComparisonResults
   })
   $form.Controls.Add($compareButton)

   $labelResults = New-Object System.Windows.Forms.Label
   $labelResults.Location = New-Object System.Drawing.Point(20, 100)
   $labelResults.Text = "Groups for:"
   $form.Controls.Add($labelResults)

   $textBoxResults = New-Object System.Windows.Forms.TextBox
   $textBoxResults.Location = New-Object System.Drawing.Point(20, 120)
   $textBoxResults.Size = New-Object System.Drawing.Size(650, 300)
   $textBoxResults.Multiline = $true
   $textBoxResults.ReadOnly = $true
   $form.Controls.Add($textBoxResults)

   $form.Add_Shown({ $form.Activate() })
   $form.ShowDialog()

   # Display results in the text box
   $textBoxResults.Text = @"
Results for $($ComparisonResults.Username1) and $($ComparisonResults.Username2):

Common Groups:
$($ComparisonResults.CommonGroups -join "`r`n")

Unique Groups for $($ComparisonResults.Username1):
$($ComparisonResults.UniqueGroupsUser1 -join "`r`n")

Unique Groups for $($ComparisonResults.Username2):
$($ComparisonResults.UniqueGroupsUser2 -join "`r`n")
"@
}

# Function to show results in the same Comparison GUI
function Show-ComparisonResults {
   param (
       [hashtable]$ComparisonResults
   )

   # Update existing TextBox with results
   $textBoxResults.Text = @"
Results for $($ComparisonResults.Username1) and $($ComparisonResults.Username2):

Common Groups:
$($ComparisonResults.CommonGroups -join "`r`n")

Unique Groups for $($ComparisonResults.Username1):
$($ComparisonResults.UniqueGroupsUser1 -join "`r`n")

Unique Groups for $($ComparisonResults.Username2):
$($ComparisonResults.UniqueGroupsUser2 -join "`r`n")
"@
}

# Example: Show GUI with text boxes for entering usernames
Show-ComparisonGUI -ComparisonResults @{
   Username1 = ""
   Username2 = ""
   CommonGroups = @()
   UniqueGroupsUser1 = @()
   UniqueGroupsUser2 = @()
}
 

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.