PowerShell to Find Users in Multiple AD Groups

PowerShell to Find Users in Multiple AD Groups

Another of the engineer that I would with came to me with a scripting issue.  They had a list of 185 users account that he needed to find if they were members of a list of 6 AD groups.  So that is where PowerShell and I come into this issue.  So after thinking about this issue, it all came down to a comparing the lists.

I’m Not Lazy, I Just Don’t Like the Same Stuff Over Again

I live by the motto, “if you have to do it more than once, script it“.  I have lived by this mantra for a long time, and has basically helped me to get into the position that I in today.   All that aside, I racked my brain on how to complete this task as i normally start out over complicating the issue.  So after having a complex script that still didn’t get the results, I remember the command Compare-Object.

$users = Get-Content C:\scripts\logs\users.txt
$CitrixGroups = Get-Content C:\scripts\logs\Citrix_Groups.txt
foreach ($group in $CitrixGroups){
     $AllGroupMembers = (get-adgroup -server $domain -Identity $group | Get-ADGroupMember -Recursive).SamAccountName
     (Compare-Object -ReferenceObject $AllGroupMembers -DifferenceObject $users -IncludeEqual -ExcludeDifferent).inputobject | Out-file C:\Scripts\logs\Citrix\$group.txt 

This script loads the $User variable with the user accounts from a text document and them gets all of the group members from the groups in the variable as $AllGroupMembers one at a time and does a compare.  The switches -IncludeEqual and -ExcludeDifferent sorts the results to see exactly what I want to see.  This also generates a text file using the group name as the filename and includes the members that are included in the $User variable.


A Blog of Another Color

I would like to introduce you to a colleague of mine, and the person that I wrote this script for, Kris Davis.  His blog, XenApplePie, which if you can’t tell by the name, is about all things Citrix.  He is just getting the blog baked and ready for all to enjoy.  He has a ton of knowledge to share about Citrix as he has been supporting it for years.

3 thoughts on “PowerShell to Find Users in Multiple AD Groups”

  1. So I have something similar and like you I will way over complicate the problem.

    We need to know who is in 6-7 AD groups and ensure we note what groups each person are in.
    I do really love the “-recursive” argument that you’ve added and I will probably add it to my script.

    My thoughts on the task is to get the users of each group and keep each in a Variable, compile a list of all the users as an array. Then get the unique users so that there is no duplicates.
    Use “Contains” to go through each user and get a true or false of whether the user exists in each of the Group Arrays (Variables). The output of true/false comparison will add the result as a member property to the user.


    1. Last User,
      This is a good one. Just thinking about this issue as I eat my lunch. I would get the entire list of the users from the 6-7 groups and remove the duplicates, then get the users ad groups memberships and output it to a CSV/excel sheet. The columns of the CSV would be the username, group1, group2, group3, group4, group5, group6, group7. This way you can see the information in an easy to read format, and it can be sort able.

      $groups = "group1","group2","group3","group4","group5","group6"
      $domain = "DomainName"
      $AllGroupMembers = ""
      $Report = @()
      foreach ($Group in $Groups){
          $AllGroupMembers += (get-adgroup -server $domain -Identity $group | Get-ADGroupMember -Recursive).SamAccountName
          $AllgroupMembers += " "
      $SortedMembers = $AllGroupMembers -split " " | Select -Unique | Where {$_ -ne "ServiceAccount1" -and $_ -ne "ServerAccount2"}
      foreach ($member in $SortedMembers){
          $JoinedGroup = (Get-ADPrincipalGroupMembership -Identity $member -server $domain).name
          $Line = "" | Select Name, $groups[0], $groups[1], $groups[2], $groups[3], $groups[4], $groups[5]
          $Line.Name = $member
          IF ($JoinedGroup -contains $groups[0]){$Line."group1" = "true"}
          IF ($JoinedGroup -contains $groups[1]){$Line."group2" = "true"}
          IF ($JoinedGroup -contains $groups[2]){$Line."group3" = "true"}
          IF ($JoinedGroup -contains $groups[3]){$Line."group4" = "true"}
          IF ($JoinedGroup -contains $groups[4]){$Line."group5" = "true"}
          IF ($JoinedGroup -contains $groups[5]){$Line."group6" = "true"}
          $report += $line
      $report | FT

      Pictured below the output of the script
      AD Group Membership

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.