PowerShell for Windows Admins

Aug 30 2017   8:59AM GMT

Comparing AD group membership on EmployeeId

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Tags:
Active Directory
Powershell

Back in this post – https://itknowledgeexchange.techtarget.com/powershell/comparing-group-membership/ I showed how to compare the membership of two groups using Compare-Object. The comparison was based on the samAccountName. A question raised the issue of comparing AD group membership on EmployeeId

In the case in particular users have multiple accounts BUT the EmployeeId is correct on all and will therefore show matching users. Assuming the EmployeeId is correct on all accounts it still leaves a problem.

When you run Get-ADGroupMember you get a very limited number of properties returned:

PS> Get-ADGroupMember -Identity Testgroup1

distinguishedName : CN=JONES James,OU=UserAccounts,DC=Manticore,DC=org
 name : JONES James
objectClass : user
objectGUID : 027cb406-a3b0-4f45-9bbd-db47ccfb9212
 SamAccountName : JamesJones
 SID : S-1-5-21-759617655-3516038109-1479587680-1225

First thing I needed to do was set up some users with an EmployeeId

$ei = 1
 Get-ADUser -Filter {Name -like "*Jones*"} -Properties EmployeeId |
foreach {
 $id = 23945 + $ei
 
 $psitem | Set-ADUser -EmployeeID $id

$ei = $ei + (Get-Random -Minimum 3 -Maximum 12)
 }

Get a set of users – including the EmployeeId – and forech of them set the id. The id is randomly generated based on a starting value and increment.

Now that the users have an Employeeid you can use that for comparison purposes

$group1 = Get-ADGroupMember -Identity Testgroup1 | 
foreach {
 Get-ADUser -Identity $psitem.distinguishedName -Properties EmployeeId | 
 select -ExpandProperty EmployeeId
 }

$group2 = Get-ADGroupMember -Identity Testgroup2 | 
foreach {
 Get-ADUser -Identity $psitem.distinguishedName -Properties EmployeeId | 
 select -ExpandProperty EmployeeId
 }


 Compare-Object -ReferenceObject $group1 -DifferenceObject $group2 -IncludeEqual | 
 where SideIndicator -eq "==" | 
foreach { 
 $id = ($_.InputObject) 
 
 Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId 
 }

Get the membership of the first group and for each member use Get-ADUser to return the EmployeeId. Repeat for the second group.

Use Compare-Object to compare the two sets of group members – you’re looking for matches indicated by “==”

Foreach match get the AD user account filtering on the EmployeeID.

The PROBLEM with this approach is that you’ll get all user accounts returned that have the particular EmployeeId. You can replace the line

Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId

with

Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId, MemberOf | where {$_.MemberOf -like “*Testgroup1*” -AND $_.MemberOf -like “*Testgroup2*”}

Which should resolve the problem

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: