#PowershellBasics: Finding a common AD group for a set of users.

3

June 17, 2021 by Kenneth Fisher

A while back (almost 7 years 😲) I wrote a post on finding the common AD groups of a set of users using T-SQL. This is pretty handy when you need to set up permissions for

  • A group of people
  • Only want to use AD groups for your security (it’s a good idea)
  • They have no idea what AD group they should use (virtually. every. single. time.)

The T-SQL version works great, but it does have a couple of flaws. The biggest one being you need to be able to impersonate each of the users. The other is that it’s T-SQL which is great, but when you only have T-SQL it’s a bit restrictive. Recently one of my co-workers (Thanks Andrew!) gave me a handy dandy little PowerShell script that does almost exactly the same thing.

Initially I had planned on having you run a script to create some windows users and groups, but I discovered that one of these commands (guess which 😉) will only work if AD is set up, and I didn’t have time (or the knowledge) to get it set up on my Azure VM. So instead let’s go straight to the PowerShell script.

$ADGroups=Get-ADPrincipalGroupMembership Dopey | select name
$ADGroups2=Get-ADPrincipalGroupMembership Sleepy | select name

#Compare-Object $ADGroups $ADGroups2
Compare-Object $ADGroups $ADGroups2 -IncludeEqual

I will note that I had a hard time getting this to run initially. I found some answers here. Specifically I ran this script.

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell

Import-Module ActiveDirectory

And I ended up with this output:

InputObject                                  SideIndicator
-----------                                  -------------
@{name=Dwarves}                              =>           
@{name=DwarvesLikeKen}                       =>

Which are the two groups that Dopey and Sleepy belong to. The important commands are:

Get-ADPrincipalGroupMembership : Pretty obvious what this one does.
Compare-Object : This is a pretty neat command that compares two sets of objects. It returns any differences with <= or => to tell you which set of objects the value is in. If you include -IncludeEqual then you will also see == in any cases where the value is in both sets.

Category: Powershell, Security, SQLServerPedia Syndication | Tags: , ,

»
«

3 thoughts on “#PowershellBasics: Finding a common AD group for a set of users.

  1. bigtang says:
    June 17, 2021 at 9:17 AM

    My first Ken Fisher blog shout out! Big day.

    Reply
  2. Shleep says:
    June 21, 2021 at 2:38 PM

    In addition to includeEqual, the ExcludeDifferent switch is your friend here.

    The => is the the groups in which Sleepy is a member, but not Dopey.
    I use ExpandProperty here for readability.

    $ADGroups=Get-ADPrincipalGroupMembership ‘Dopey’ | select -ExpandProperty name
    $ADGroups2=Get-ADPrincipalGroupMembership ‘Sleepy’ | select -ExpandProperty name

    #Compare-Object $ADGroups $ADGroups2
    Compare-Object $ADGroups $ADGroups2 -IncludeEqual -ExcludeDifferent

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow me via RSS

RSS Feed RSS - Posts

RSS Feed RSS - Comments

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,753 other subscribers

Follow me on Twitter

@sqlstudent144

Archives

Categories

Meta

ToadWorld Pro of the Month November 2013
%d bloggers like this: