Comparing AD group membership on EmployeeId

Back in this post – http://itknowledgeexchange.techtarget.com/powershell/comparing-group-membership/ I showed how to compare the membership of two groups using Compare-Object. The comparison was based on the samAccountName. A question raised the issue of comparing AD group membership on EmployeeId

In the case in particular users have multiple accounts BUT the EmployeeId is correct on all and will therefore show matching users. Assuming the EmployeeId is correct on all accounts it still leaves a problem.

When you run Get-ADGroupMember you get a very limited number of properties returned:

PS>  Get-ADGroupMember -Identity Testgroup1

 distinguishedName : CN=JONES James,OU=UserAccounts,DC=Manticore,DC=org
 name              : JONES James
 objectClass       : user
 objectGUID        : 027cb406-a3b0-4f45-9bbd-db47ccfb9212
 SamAccountName    : JamesJones
 SID               : S-1-5-21-759617655-3516038109-1479587680-1225

First thing I needed to do was set up some users with an EmployeeId

$ei = 1

 Get-ADUser -Filter {Name -like "*Jones*"} -Properties EmployeeId |

 foreach {
   $id =  23945 + $ei
   
   $psitem | Set-ADUser -EmployeeID $id

  $ei = $ei + (Get-Random -Minimum 3 -Maximum 12)

 }

Get a set of users – including the EmployeeId – and forech of them set the id. The id is randomly generated based on a starting value and increment.

Now that the users have an Employeeid you can use that for comparison purposes

$group1 = Get-ADGroupMember -Identity Testgroup1 | 
 foreach {
   Get-ADUser -Identity $psitem.distinguishedName -Properties EmployeeId | 
   select -ExpandProperty EmployeeId
 }

$group2 = Get-ADGroupMember -Identity Testgroup2 | 
 foreach {
   Get-ADUser -Identity $psitem.distinguishedName -Properties EmployeeId | 
   select -ExpandProperty EmployeeId
 }

 Compare-Object -ReferenceObject $group1 -DifferenceObject $group2 -IncludeEqual |             
 where SideIndicator -eq "==" |            
 foreach {            
  $id = ($_.InputObject)        
             
  Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId            
 }

Get the membership of the first group and for each member use Get-ADUser to return the EmployeeId. Repeat for the second group.

Use  Compare-Object to compare the two sets of group members – you’re looking for matches indicated by “==”

Foreach match get the AD user account filtering on the EmployeeID.

The PROBLEM with this approach is that you’ll get all user accounts returned that have the particular EmployeeId.   You can replace the line

Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId

with

Get-ADUser -Filter {EmployeeId -eq $id} -Properties EmployeeId, MemberOf | where {$_.MemberOf -like “*Testgroup1*” -AND $_.MemberOf -like  “*Testgroup2*”}

Which should resolve the problem

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s