Compare adgroup members of 2 domains

PowerShell Help
1

hello guys,
we are in the process of merging two domains so now we want to compare the AD group memberships of both
first i retrieved all groups with the same name

$groupsdomain1 = (Get-ADGroup -Filter *).name
$groupsdomain2 = (Get-ADGroup -Filter * -Server "domain2.com").name 
$equalgroups = Compare-Object $groupsdomain1 $groupsdomain2 -ExcludeDifferent -IncludeEqual

i exported those groups into csv …now i’m trying to retrieve the members of those groups

$csv = Import-Csv C:\temp\grpstocompare.csv
foreach($grp in $csv){
Compare-Object (Get-ADGroupMember $grp.InputObject).name (Get-ADGroupMember $grp.InputObject -Server "domain2.com" ).name | select inputobject,sideindicator,@{n='group';e={$grp.inputobject}}
}

now this works with some errors.

user1… <= grp6
user2… => grp2
user3… <= grp2
user4 <= grp3
Compare-Object:
Line |
2 | … bject).name (Get-ADGroupMember $grp.InputObject -Server "domain2.com
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot bind argument to parameter ‘DifferenceObject’ because it is null.
user5 => grp2
user5 <= grp1

my question is …
1- why am i getting this error?
2- does get-adgroupmember retrieve users,computers and contacts?
3- is there a better way to do this ?

thank you

2

why is it that i never get help on this forum ?
am i doing something wrong ?
i never even get a reply

3

No. You don’t. :wink:

I personally don’t have experiences with a multi domain environment. And I don’t have access to one to test at the moment.

First I’d recommend to use the DN or sAMAccountName for the comparison. They are unique inside one domain. And I’d write my code a little more verbose … like this:

$groupsdomain1 = Get-ADGroup -Filter *
$groupsdomain2 = Get-ADGroup -Filter * -Server 'domain2.com'
$equalgroups = Compare-Object -ReferenceObject $groupsdomain1 -DifferenceObject $groupsdomain2 -Property 'sAMAccountName' -ExcludeDifferent -IncludeEqual -PassThru

Now … why do you export the result and import it again. You can work with the variable $equalgroups.

Is it possible that you have groups in your second domain without any members or without “names”? And again - I’d use another property than the name.

I’d say yes? Did you try? It should be easy to figure out. :wink:

That depends pretty much on your expectations. Does it do what you need? Even if there are error messages - when you know where they come from and why it still might satisfy your requirements. :wink:

4

finally someone replied :smile:
1st thank you for replying
thank you for the recommendation as indeed … some users might not have names so i’ll use the samaccountname property
and it turned out get-adgroupmember doesn’t get external contacts…
so i’ll try something else

5

That’s correct. Usually those members are irrelevant as long as it is not a distribution group. But if you need all members including contacts you can use the “Members” property of the ADGroup.

Get-ADGroup -Identity 'GroupName' -Properties Members | 
    Select-Object -ExpandProperty 'Members'
6

well , the groups i want to compare doesn’t have external users it seems
i found out using this

$csv = Import-Csv C:\Users\user\Desktop\grpstocompare.csv
foreach ($grp in $csv){
$obj = (Get-ADGroup -Identity $grp.InputObject).distinguishedname
Get-ADObject -Filter {(memberof -eq $obj) -and (objectclass -eq 'contact')}
}

so what i’ll do is compare the groups that exists on both domains using the get-adgroupmember
then i’ll merge the rest of the groups from domain2 to domain 1
this should solve it
thanks alot @Olaf

have a nice day

7

Great that is was helpful and that you found a solution.

And thanks for sharing. :+1:t4: :slight_smile: