Had an issue today where 2 users wanted the same access to a couple of different servers. Best practice says to create a group. and keep things clean. With that i didn’t want to create a new AD Group if the users where already in a group that only included them.

With that i throw this PowerShell script together using the Quest Tools. to Query each user, bring back all the groups there. compare them to find matches then just list out the ones with only 2 members (AKA User A and User B)..

Bit annoyed i couldn’t get it working with the PoSH 3 Cmdlets. but i ran into problems with the Get-ADPrincipalGroupMembership not excepting the identities (Not sure if was due to all the OUs with spaces?) but this is called a quick and dirty for a reason 🙂

##################################################################################################
##
##
## Find All Groups that only Conatin User A and User B
##
##
##################################################################################################
## Get details for User A
$userA = Get-QADUser "userA"
$GroupsForUserA = $userA.memberOf | Get-QADGroup
## Get details for User B
$userB = Get-QADUser "userA"
$GroupsForUserB = $userB.memberOf | Get-QADGroup
## compare A to B
$jointGroups.count = Compare-Object -DifferenceObject $GroupsForUserB -ReferenceObject $GroupsForUsera -IncludeEqual -ExcludeDifferent
Write-host "--------------------------------------------------------------" -ForegroundColor Green
write-host "-------- Accounts with only User A and User B in ----------"-ForegroundColor Green
foreach ($j in $jointGroups){
$membersofGroup = Get-QADGroupMember $j.InputObject.Name
if ($membersofGroup.Count -le 2 ){
write-host $j.InputObject.Name -ForegroundColor Green
}
}
Advertisements