3 Part AD Query

jzachmans · April 28, 2017, 10:43am

I’m working a 3 part query but can’t seem to figure out parts 2 & 3.

Here’s what I’m trying to accomplish: Our office uses AD groups to apply drive maps via group policy. We have so many divisions/groups that it’s becoming difficult to manage who has what drive!

The AD group name specifies what drive they are getting (ex 15-M) which means that the user will see division 15’s network share as a letter “M” on their workstation. It’s difficult to manage because people sometime belong to multiple “XX-M” groups (they might belong to 15-M & 16-M) – obviously they can only have a single M: drive so GP picks the one with a lower order number.

The query I’m trying to run in PowerShell would do these three things:

Collect all groups that end with “-M” For example, 15-M, 16-M, 17-M – you get the picture
Get ALL members/samaccountnames from the groups returned in part #1. Create one big list that contains all samaccountnames for the “XX-M” groups
Compare the compiled list and identify any duplicate names. Obviously if UserX shows up on that list more than once it would be problematic because that means he/she would be configured to receive multiple M: drives.

Part #1 was no problem. But I can’t seem to get part #2 to work & to be honest part #3 is well out of my realm. Even if I could get part 1 & 2 to work I could do a manual compare in Excel. I’m not looking for someone to completely answer this for me, I’m just doing a sanity check to make sure that my logic is correct. If anyone can point me in the right direct it would be greatly appreciated!

Here’s what I have so far:

$targets = Get-ADGroup -Filter * -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com" | where name -Like "*-m" | select -ExpandProperty name

foreach ($Person in $Targets) { 
    Get-ADGroupMember -Identity $targets | select name 
}

matt-bloomfield · April 28, 2017, 11:36am

I think your logic is broadly correct. I would build a custom object that links the group name to the user:

#Note use the -filter parameter to avoid getting all groups and then filtering with Where-Object
$groups = Get-ADGroup -filter "Name -like '*-m'" -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com"

$userArray = @()

foreach ($group in $groups) {

    foreach ($user in Get-ADGroupMember $group) {

        $userObj = [PSCustomObject] @{
            
            groupName = $group.Name
            sAMAccountName = $user.sAMAccountName
        
        } #end $userObj creation

        $userArray += $userObj      

    } #end foreach $user

} #end foreach $group

Once you have an array of user objects you could export to CSV for sorting but, of course, you can also use PowerShell to process the results.

E.g.

$userArray | Group-Object sAMAccountName | Where-Object {$_.count -gt 1}

Will give you all users that appear in more than one group.

rob-simmers · April 28, 2017, 12:00pm

Matt beat me to it…

$groups = Get-ADGroup -Filter {Name -like "*-m"} -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com"

$groupMembers = foreach ($group in $groups) { 
    Get-ADGroupMember -Identity $group
}


$groupMembers | 
Group-Object -Property Name -NoElement | 
Where{$_.Count -gt 1}

Topic		Replies	Views
Need help finding users in multiple ad groups in single list PowerShell Help	1	209	April 1, 2020
Getting Members of Groups in AD PowerShell Help	1	173	August 3, 2017
Get AD users from specific AD Groups and parse results PowerShell Help	2	142	September 4, 2014
Foreach user in Group PowerShell Help	6	143	April 9, 2020
Group comparison PowerShell Help	16	167	April 20, 2020

3 Part AD Query

Related Topics