Quickly Compare User’s AD Group Membership in PowerShell

Profile picture for user PaulW
Posted by PaulW on Sun, 02/10/2019 - 11:22pm

Often I get access requests, especially for new employees, for setting up someone’s network permissions like Dan's in the marketing department.  Dan is new to the Marketing team and his manager wants his account set up like Paul's account.  So, normally, I would do a side by side comparison in ADUC and then fill in the gaps.  That sounds a little tedious.  So, I wrote a quick function to compare groups and output those that are common between each and unique to each.  Here is a sample of the output from the function:

PS C:\> Get-PWADGroupComparison pwetter djohnson
--------------------------------------------------------------------------
[Paul Wetter] and [Dan Johnson] have the following groups in common:
--------------------------------------------------------------------------
Domain Users
SCCM-Technicians
TESTDG1

--------------------------------------------------------------------------
The following groups are unique to [Paul Wetter]:
--------------------------------------------------------------------------
ConfigMgrAgents
ConfigMgrAdmins
DnsAdmins
GPOTest
SCOMAdmins

--------------------------------------------------------------------------
The following groups are unique to [Dan Johnson]:
--------------------------------------------------------------------------
SCCM-MWAdmins
SCCM-Techs-Level-1
PS C:\>

Nothing too fancy but, very useful for finding groups.  And then copying and pasting and applying groups to new user or pasting into a ticketing system.

So, here's the PowerShell fuction.  Enjoy!

function Get-PWADGroupComparison{
    <#
    .SYNOPSIS
        This will compare 2 user accounts in active directory and tell you their group membership and how they are similar and different. 
    .PARAMETER Identity1
        The first user account that you would like to compare. 
    .PARAMETER Identity2
        The second user account that you would like to compare. 
    .EXAMPLE
        Get-PWADGroupComparison -Identity1 BobJ -Identity2 DanO
    .EXAMPLE
        Get-PWADGroupComparison BobJ DanO
    .NOTES
        Author: Paul Wetter
        Website: www.wetterssoure.com
        The script are provided AS IS with no guarantees, no warranties, and they confer no rights.
    #>

    [CmdletBinding()] 
    param (
        [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$True,ValueFromPipeline=$True,
        HelpMessage="The first user account that you would like to compare")] 
        [string]$Identity1,

        [Parameter(ValueFromPipelineByPropertyName=$true,Mandatory=$False,ValueFromPipeline=$True,
        HelpMessage="The second user account that you would like to compare")] 
        [string]$Identity2
    )

    $user1 = (Get-ADPrincipalGroupMembership -Identity $Identity1 | select Name | Sort-Object -Property Name).Name
    Write-Verbose ($user1 -join "; ")
    $user2 = (Get-ADPrincipalGroupMembership -Identity $Identity2 | select Name | Sort-Object -Property Name).Name
    Write-Verbose ""
    Write-Verbose ($user2 -join "; ")
    $SameGroups = (Compare-Object $user1 $user2 -PassThru -IncludeEqual -ExcludeDifferent)
    Write-Verbose ""
    Write-Verbose ($SameGroups -join "; ")
    $UniqueID1 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "<="})
    Write-Verbose ""
    Write-Verbose ($UniqueID1 -join "; ")
    $UniqueID2 = (Compare-Object $user1 $user2 -PassThru | where {$_.SideIndicator -eq "=>"})
    Write-Verbose ""
    Write-Verbose ($UniqueID2 -join "; ")
    $ID1Name = (Get-ADUser -Identity $Identity1 | Select Name).Name
    Write-Verbose ""
    Write-Verbose ($ID1Name -join "; ")
    $ID2Name = (Get-ADUser -Identity $Identity2 | Select Name).Name
    Write-Verbose ""
    Write-Verbose ($ID2Name -join "; ")

    Write-Host "--------------------------------------------------------------------------"
    Write-Host "[$ID1Name] and [$ID2Name] have the following groups in common:"
    Write-Host "--------------------------------------------------------------------------"
    $SameGroups
    Write-Host ""

    Write-Host "--------------------------------------------------------------------------"
    Write-Host "The following groups are unique to [$ID1Name]:"
    Write-Host "--------------------------------------------------------------------------"
    $UniqueID1
    Write-Host ""
    Write-Host "--------------------------------------------------------------------------"
    Write-Host "The following groups are unique to [$ID2Name]:"
    Write-Host "--------------------------------------------------------------------------"
    $UniqueID2

}

 

Related Technology

Add new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
Verify you are a human.