AD Groups Script Examples (PowerShell)

From vwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Group Member Deduplication

This script is for use when you want to remove users/members from one group that also exist in another. It gets a list of users from both groups and then compares, removing duplicates from one of the groups. 

$RefGroupName = "Group A"                                # Reference group (which isn't touched)
$ModGroupName = "Group B"                                # Group to have users removed from if they exist in the above group

$MakeChanges = $true                                     # Set to $false to see what would be done

$cred = Get-Credential -Message "Domain Admin user/pass"

Import-Module ActiveDirectory

$RefGroup = Get-ADGroup $RefGroupName
$RefGroupMembers = Get-ADGroupMember $RefGroup

$ModGroup = Get-ADGroup $ModGroupName
$ModGroupMembers = Get-ADGroupMember $ModGroupName

foreach ($user in $ModGroupMembers) {
    if ($user.objectClass -ne "user") {
        Write-Host ("Skipping non-user " + $user.Name)
        Continue
    }

    if ($RefGroupMembers | ?{$_.SamAccountName -eq $user.SamAccountName}) {
        Write-Host ($user.SamAccountName + " (" + $user.Name + ") exists in both groups")
        if ($MakeChanges) {
            Remove-ADGroupMember -Identity $ModGroup -Members $user -Confirm:$false -Credential $cred
            Write-Host ($user.SamAccountName + " (" + $user.Name + ") removed from $ModGroupName")
        }
         
    } else {
        Write-Host ($user.SamAccountName + " (" + $user.Name + ") exists in only $ModGroupName")
    }
}

Compare Group Members

This script creates a table of all the members of some groups. This enables you to compare a number of groups side by side in a flexible grid. 

$GroupNames = @()
$GroupNames += "Group A"
$GroupNames += "Group B"
$GroupNames += "Group C"
$GroupNames += "Group D"

Import-Module ActiveDirectory

# Create table for output
$table = New-Object system.Data.DataTable "Groups"
$col1 = New-Object system.Data.DataColumn Signum,([string])
$col2 = New-Object system.Data.DataColumn Name,([string])

$table.columns.add($col1)
$table.columns.add($col2)

# Add columns for each group
foreach ($GroupName in $GroupNames) {
    $table.columns.add((New-Object system.Data.DataColumn $GroupName,([bool])))
}

# Go through each group
foreach ($GroupName in $GroupNames) {
    Write-Host "Getting members of $GroupName..."
    $GroupMembers = Get-ADGroupMember $GroupName

    foreach ($user in $GroupMembers) {
        if ($user.objectClass -ne "user") {
            # Add handling for groups here !
            Continue
        }

        # Check if row already exists for user, otherwise create a new row
        $row = $table.Select("Signum = '" + $user.SamAccountName + "'")
        if ($row.count) {
            $row[0][$GroupName] = $true
        } else {
            $row = $table.NewRow()
            $row.Signum = $user.SamAccountName
            $row.Name = $user.name
            $row[$GroupName]= $true
            $table.Rows.Add($row)
        }
    }
}

$table.AcceptChanges()

$table | Select -ExcludeProperty RowError, RowState, Table, ItemArray, HasErrors | Out-GridView -Title "Group Compare results"
Retrieved from ‘https://vwiki.co.uk/index.php?title=AD_Groups_Script_Examples_(PowerShell)&oldid=2321