Use PowerShell to Determine the Differences in Group Membership between Active Directory Users

I recently saw a post on Reddit where someone was trying to create a function that takes an Active Directory user name as input for a manager who has direct reports (subordinates) specified in Active Directory. They wanted to determine if the Active Directory group membership of any of those subordinates is different than the others.

There are two different parts to this scenario. Returning a list of the manager’s direct reports by querying that property from the manager’s user account in Active Directory:

adgroup-diff1

I decided to keep that portion separate since it would be easy enough to accomplish that part of the task and hard coding that functionality would limit the re-usability of the group comparison portion of the tool. I wanted the users id’s (input for my tool) to be able to come from a query against Active Directory, a list of user id’s stored in a text file, or a CSV file (maybe an auditor supplies a list of user id’s to compare that he emails to you).

The following PowerShell function compares the Active Directory user groups of one or more users. The function gets a combined list of all groups that the specified users are in. It then determines what are considered to be common groups between the users by determining which of those groups have 50% or more of the specified users in them. Finally, it iterates through each user comparing their group membership to the common group list and returns the user’s group membership where it differentiates from the  list.

Now to use PowerShell to query the “Direct reports” of a manager in Active Directory and return those users as input for our group comparison tool:

adgroup-diff4

That task can be performed with this simple PowerShell one-liner:

adgroup-diff2a

As shown in the previous set of results, a minus in the status column means the user is not a member of a common group and a plus means they are a member of an extra group other than the common ones. The “RatioOfUsersInGroup(%)” column returns a percentage value of how many users are in the specified group, for example 50% (3 of the 6 users) are in both the Faculty and Staff groups and only 17% (1 of the users) is in the Test01 group.

adgroup-diff3b

An equal sign will only show up in the status column when the -IncludeEqual parameter is specified. It means that the users are included in the common group(s) as shown in the previous example.

The Compare-MrADGroup PowerShell function shown in this blog article can also be downloaded from the TechNet script repository.

µ

Leave a Reply

%d bloggers like this: