AD Groups Script Examples (PowerShell)

From vwiki
Jump to navigation Jump to search

Group Member Deduplication

This script is for use when you want to remove users/members from one group that also exist in another. It gets a list of users from both groups and then compares, removing duplicates from one of the groups.

$RefGroupName = "Group A"                                # Reference group (which isn't touched)
$ModGroupName = "Group B"                                # Group to have users removed from if they exist in the above group

$MakeChanges = $true                                     # Set to $false to see what would be done

$cred = Get-Credential -Message "Domain Admin user/pass"

Import-Module ActiveDirectory

$RefGroup = Get-ADGroup $RefGroupName
$RefGroupMembers = Get-ADGroupMember $RefGroup

$ModGroup = Get-ADGroup $ModGroupName
$ModGroupMembers = Get-ADGroupMember $ModGroupName

foreach ($user in $ModGroupMembers) {
    if ($user.objectClass -ne "user") {
        Write-Host ("Skipping non-user " + $user.Name)
        Continue
    }

    if ($RefGroupMembers | ?{$_.SamAccountName -eq $user.SamAccountName}) {
        Write-Host ($user.SamAccountName + " (" + $user.Name + ") exists in both groups")
        if ($MakeChanges) {
            Remove-ADGroupMember -Identity $ModGroup -Members $user -Confirm:$false -Credential $cred
            Write-Host ($user.SamAccountName + " (" + $user.Name + ") removed from $ModGroupName")
        }
         
    } else {
        Write-Host ($user.SamAccountName + " (" + $user.Name + ") exists in only $ModGroupName")
    }
}

Compare Group Members

This script creates a table of all the members of some groups. This enables you to compare a number of groups side by side in a flexible grid.

$GroupNames = @()
$GroupNames += "Group A"
$GroupNames += "Group B"
$GroupNames += "Group C"
$GroupNames += "Group D"

Import-Module ActiveDirectory

# Create table for output
$table = New-Object system.Data.DataTable "Groups"
$col1 = New-Object system.Data.DataColumn Signum,([string])
$col2 = New-Object system.Data.DataColumn Name,([string])

$table.columns.add($col1)
$table.columns.add($col2)

# Add columns for each group
foreach ($GroupName in $GroupNames) {
    $table.columns.add((New-Object system.Data.DataColumn $GroupName,([bool])))
}

# Go through each group
foreach ($GroupName in $GroupNames) {
    Write-Host "Getting members of $GroupName..."
    $GroupMembers = Get-ADGroupMember $GroupName

    foreach ($user in $GroupMembers) {
        if ($user.objectClass -ne "user") {
            # Add handling for groups here !
            Continue
        }

        # Check if row already exists for user, otherwise create a new row
        $row = $table.Select("Signum = '" + $user.SamAccountName + "'")
        if ($row.count) {
            $row[0][$GroupName] = $true
        } else {
            $row = $table.NewRow()
            $row.Signum = $user.SamAccountName
            $row.Name = $user.name
            $row[$GroupName]= $true
            $table.Rows.Add($row)
        }
    }
}

$table.AcceptChanges()

$table | Select -ExcludeProperty RowError, RowState, Table, ItemArray, HasErrors | Out-GridView -Title "Group Compare results"