Checking and comparing user AD group membership

In the AD module for PS there’s an easy cmdlet that allow us to check the groups a user is member of. We’re talking about Get-ADPrincipalGroupMemberShip. Let’s check the sintaxis:

   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADPrincipal>
   [-Partition <String>]
   [-ResourceContextPartition <String>]
   [-ResourceContextServer <String>]
   [-Server <String>]

Interpreting the sintaxis, we are able to conclude the following:

  • Because “-Identity” parameter and value “<ADPrincipal>” aren’t enclosed in square brackets we know is mandatory. Identity parameter is also positional, which means that if we don’t provide the -Identity parameter before the value, PS will know we’re referring to -Identity. To be more clear “Get-ADPrincipalGroupMembership -Identity bob.marley” is the same thing as “Get-ADPrincipalGroupMembership bob.marley“.

In this opportunity we-re only using samAccountName as value for -Identity. To check the AD group membership of a user we can run:

PS C:\Windows\System32 > Get-ADPrincipalGroupMembership -Identity bob.marley

We can obtain a cleaner by piping the result to Format-Table:

PS C:\Windows\System32 > Get-ADPrincipalGroupMembership -Identity bob.marley | Format-Table name, GroupCategory -Autosize

Sometimes you want to compare the AD groups of two different users. For instance, a new user is joining the company and you want to use his coworkers to mirror the necessary AD groups for that user. Luckily for us, PS has a cmdlet that can perform this action pretty easily: Compare-Object.

Using Compare-Object to compare the AD groups different users

We can check if one user has one or more groups the other user hasn’t. To do that, we can combine Get-ADPrincipalGroupMembership and Compare-Object. Let’s take a look at Compare-Object command:

       [-ReferenceObject] <PSObject[]>
       [-DifferenceObject] <PSObject[]>
       [-SyncWindow <Int32>]
       [-Property <Object[]>]
       [-Culture <String>]

As with Get-ADPrincipalGroupMembership we can see that both -ReferenceObject and -DifferenceObject are mandatory. If we want to see the groups of user A to compare them with the groups of user B, we’re going to pass those values to -ReferenceObject and -DifferenceObject respectively. At this point, we just have to combine the discussed cmdlets in one instruction:

Compare-Object -ReferenceObject (Get-ADPrincipalGroupMembership -Identity bob.marley) -DifferenceObject (Get-ADPrincipalGroupMembership -Identity mick.jagger) -Property Name

Notice we used parenthesis to enclose the values for -ReferenceObject and -DifferenceObject. This forces PS to run those instructions before running anything else. We also used -Property parameter because that’s the value we’re interested in.The output of this instruction is going to look something like this:

Name              SiteIndicator
----              -------------
ReggaeMusic       <=
RockMusic         =>
Jamaica           <=
UnitedStates      =>

In this case, we can see that user bob.marley is member of the group ReggaeMusic but mick.jagger isn’t. We know this because the arrow under SiteIndicator is pointing to the left side which is represented by -ReferenceObject (groups of bob.marley). We can see that only mick.jagger is part of the UnitedStated group because the arrow for UnitedStated under SiteIndicator is pointing to the right side which is represented by the –DifferenceObject (groups of mick.jagger).

This simple instruction can save us a lot of time when we have to compare the AD group membership of two different groups.

| Theme: UPortfolio