The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 17 Sep 2013

PowerShell

Tags: , ,


Trying to compare the members of Windows domain Security or Distribution groups cans be a bit of a pain, especially when you’ve got nested groups. To make life a bit easier I wrote a quick script that will go through the members of the groups you want, including unlimited sub-groups (see note below). The script creates a nice grid output table, which you can sort/filter etc.

Note: The maximum depth depends on how much recursion your version of PowerShell will support. V1 supports 100 recursions, so a depth of 100 groups, V2 supports 1000, V3 is unlimited (though your system will run out of resources at some point, and it would be crazy to have that many groups within groups in Active Directory).

<###################################################################################################################
 AD Group Comparator - Displays members of groups
 
By Simon Strutt - Aug 2013
 
####################################################################################################################>
 
$GroupNames = @()
$GroupNames += "Group A"            # Groups to compare
$GroupNames += "Group B"
$GroupNames += "Group C"
 
Import-Module ActiveDirectory
 
# Create table for output
$table = New-Object system.Data.DataTable "Groups"
$col1 = New-Object system.Data.DataColumn UserID,([string])
$col2 = New-Object system.Data.DataColumn Name,([string])
 
$table.columns.add($col1)
$table.columns.add($col2)
 
# Add columns for each group
foreach ($GroupName in $GroupNames) {
    $table.columns.add((New-Object system.Data.DataColumn $GroupName,([bool])))
}
 
Function Walk-Group ($group) {
    $GroupMembers = Get-ADGroupMember $group
    foreach ($member in $GroupMembers) {
        if ($member.objectClass -eq "user") {
            # Check if row already exists for user, if not, add
            $row = $table.Select("UserID = '" + $member.SamAccountName + "'")
            if ($row.count) {
                $row[0][$GroupName] = $true
                Write-Host ("Dupe  : " + $member.SamAccountName + " " + $member.Name)
            } else {
                $row = $table.NewRow()
                $row.UserID = $member.SamAccountName
                $row.Name = $member.name
                $row[$GroupName]= $true
                $table.Rows.Add($row)
                Write-Host ("Add   : " + $member.SamAccountName + " " + $member.Name)
            }
        } else {
            Write-Host ("SubGrp: " + $member.Name)
            Walk-Group ($member)
        }
    }
}
 
# Go through each group
foreach ($GroupName in $GroupNames) {
    Write-Host "Getting members of $GroupName..."
    Walk-Group $GroupName
}
 
$table.AcceptChanges()
 
$table | Select -ExcludeProperty RowError, RowState, Table, ItemArray, HasErrors | Out-GridView -Title "Group Compare results"

 


1 Comment to “Compare Windows Group Membership”

  1. sean says:

    Ow does this script handle enum gnested groups in other domains.

    I tried running the funct walk-group and it lists users but groups have issues.

    I’m in suba.dom.com targetting group in suba.

    Gtoup has memebers and groips nested in suba and subb domain. Groups throw error about group dn in subb on in suba.

    Thoughts?

Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.