试图找到一个部门中的所有用户，并比较他们的 AD 组

Question

I'm trying to find all users in a department, and comparing their AD groups, to see if there is any ad groups in common.

I'm a bit new to writing this kind of scripts - hope you can help me.

import-module activedirectory

$afd = "Wright the name of the department you want to compair"
$users = get-ADUser -Filter * -Properties department | Where-Object { $_.department -Like "$afd*" } | Select sAMAccountName, department

$users | Sort-Object -Property department | select samaccountname

ForEach ($user in $users) 
{
    
}

This is where I get stuck, i get til sorted list and would like to see all the ad groups in all the different departments and compare them.

Does anyone have an idea or hint to get me going again?

Regards Simeon

Answer 1

A potentially slower but simpler way is to utilize Get-ADPrincipalGroupMembership .

ForEach ($user in $users) 
{
    $UserGroups = (Get-ADPrincipalGroupMembership $user.SamAccountName).Name
    [pscustomobject]@{
        User = $user.SamAccountName
        GroupsList = $UserGroups # Keeping Groups as a collection
        GroupsString = $UserGroups -join ';' # Delimited (;) string of the groups
}

---

If you use the memberOf property of your user objects, you will already have a groups list (only the distinguishednames as strings). However, it may be harder to work with later in your code because the values will only be strings.

$users = get-ADUser -Filter * -Properties department,memberOf |
    Where-Object { $_.department -Like "$afd*" } |
        Select sAMAccountName,department,memberOf

---

In either case, storing a property value as an array is great for accessing those values later in code. Because $user.memberOf for example will enumerate all the group DN strings for you. However, it won't work for exporting to a CSV as the property values are expected to be single strings.