Hi /r/Powershell!
I made a thing! The whole thing is too long, I think, to paste here, so feel free to visit gallery.technet.microsoft.com and download it from there, I just uploaded it (and I already hate their CMS…)
Short overview
This function can be used to compare nested (inherited) or direct membership of two AD users. The default output only shows groups the $ReferenceUser is a member of and $User is not. Results are always added to a global variable ($Results) that can be used later.
Heavily based on Get-ADGroupsDifference by Wojciech Sciesinski (see Links and Notes sections in the .psm1 file itself and on the site).
Shoutout to /u/CSTW for helping me with the output generation!
So, yeah, no code, huh? Let me just give you some examples of what you can do with it instead:
Example 1: generate a full output showing nested membership for user XXXX, user YYYY and also the groups they’re both members of:
Find-ADGroupsDifference -User XXXX -ReferenceUser YYYY -Long -IncludeEqual ReferenceUser : XXXX User : YYYY GroupName : GROUP-A SideIndicator : 0 SidegIndicatorName : Both users ReferenceUser : XXXX User : YYYY GroupName : GROUP-B SideIndicator : 1 SideIndicatorName : Only User ReferenceUser : XXXX User : YYYY GroupName : Group-007-License SideIndicator : -1 SideIndicatorName : Only ReferenceUser Example 2: Display groups that have “ZZZZ” somewhere in their name.
Find-ADGroupsDifference -User XXXX -ReferenceUser YYYY -Filter ZZZZ -Medium Only Reference User (YYYY) ------------------- GRP-USR-ZZZZ GRP-ACCZZZZ-NAME ZZZZ-NAME Only User (ZZZZ) --------- GRP-SAMPLE-GROZZZZP ZZZZ-GROUP-NAME Example 3: Display only the groups that ReferenceUser is a member of that also have ZZZZ in their name:
Find-ADGroupsDifference -User XXXX -ReferenceUser YYYY -Filter ZZZZ GRP-USR-ZZZZ GRP-ACCZZZZ-NAME ZZZZ-NAME What’s cool about this function? Four things:
- It’s fast. Nested groups are returned within 20 seconds on my network, non-nested groups take a whopping 0.8 to seconds find their way to your screen.
- Doesn’t need Quest AD, like a lot of other functions out there, to return nested membership.
- Mostly customisable output out of the box. No need for pipelines and manual filtering, most of the stuff (all use cases in my company and some others I found people needed on the Net) are there. I hope.
- Really rather user-friendly. Made with Service Desk agents in mind (hence the default short output that allows the contents of the $Results variable to be easily used to add missing groups to a user) or people who just don’t want to bother with pipelines.
Oh, yeah, the $Results variable is global, keep that in mind if you also use your own global variables. This is so that you can get some output, confirm that it’s correct via eyeball, and then quickly use said output somewhere else, without having to run the whole thing again (sometimes even 20 seconds are precious).
Most important bit! If you can, test this! I only had access to Windows 10, would be nice to know if it works elsewhere or if output isn’t garbled in some weird AD set-ups. Also, any comments about the code itself are super welcome, I still consider myself a PS noob so all input is helpful.
Let me know what you think.
submitted by /u/Alaknar
[link] [comments]
The post Find nested or direct group membership differences between two AD users appeared first on How to Code .NET.