Compare group membership of two users and add target user to groups

The goal of this script is to grant the destination user all the missing memberships when compared to the source user. Any missing memberships will be added by this script while outputting the changes to the console.This script compares the group membership of two AD users, user1

 
 
 
 
 
4.4 Star
(7)
4,629 times
Add to favorites
Active Directory
1/12/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Great Script - Prompt per group name feature
    1 Posts | Last post November 23, 2018
    • Hi, what a great script. I was wondering, it there a way to have it prompt (Yes or No), per individual group. I would like to be able to add only specific groups, not all, from source to destination.
  • Possible to change this script to only add specific memberships?
    2 Posts | Last post January 12, 2016
    • Hello,
      I would like to use this script to copy specific group memberships.
      
      I would like to copy only memberships to start with "FS_..." It is possible to use a filter or something else in this script?
    • Sure I have updated the script to version 1.2.0, here is an example of how to implement this:
      
      .\Compare-ADuserAddGroup.ps1 -SourceAcc testuserabc123 -DestAcc testuserabc456 -MatchGroup '^FS_'
  • Multiple Domains
    3 Posts | Last post June 16, 2015
    • Jaap,
      
      Hello and great script!  I see this question was asked earlier, but the user didn't answer your question.  We have two domains DomainA and DomainB.  I am trying to match missing distribution groups from the top level domain - DomainA so these would be the source accounts, DomainB contains users I need to match.  So DomainB users would become members of DomainA groups.
      
      Thanks!
    • That is an interesting feature, I will setup a test environment with multiple domains so I can properly test this before releasing the updated version. I put this one on my to-do list, I will place an update in here once I have a new version available.
    • Thank you Jaap!
      
      I was able to pass the server parameter in the following sections and get close:
      
      $sourcemember = get-aduser -server domainA.test.com -filter {samaccountname -eq $sourceacc} -property memberof | select memberof
      $destmember = get-aduser -server domainB.test.com
      
      However, I can only pass in one server parameter in the "if" section:
      
      if (("Y","yes") -contains $UserInput) {
      	        compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} | 
      				select -expand inputobject | foreach {add-adprincipalgroupmembership "$_" $destacc -server domainA.test.com}
      
      So either server I pass in, I either resolve the groups or the destination user, but cannot see both sides....
      
      Thanks again!
      
      
  • Can I set this to do multiple users?
    2 Posts | Last post August 16, 2013
    • Just a quick question and I will try myself to figure it out but this is a really good script and wanted to ask.  I want to allow my helpdesk staff to use this to set new user accounts to proper grouping via templates and would like to offer them the ability to do more than one user per time this script runs, is there a simple method of enabling that?  
    • Hello J Crichton, yes this is possible by utilizing the PowerShell pipeline. Here is an example if you have a list of users stored in a plaintext file:
      Get-Content -Path C:\ListOfNewUsers.txt | ForEach-Object {
          .\Compare-ADuserAddGroup.ps1 -SourceAcc UserUsedForCopy -DestAcc $_
      }
      
      You could add the -NoConfirm switch if you would like automate this process entirely. Also if you have your helpdesk stuff doing this kind of tasks, you could also have a look at the GUI version of this script which is available here:
      http://gallery.technet.microsoft.com/GUI-Compare-group-c5b44e62
  • Multiple Domains
    2 Posts | Last post April 03, 2013
    • How would one add the ability to define the domain a user might be in? We have two operational domains and users occasionaly will need to have groups membership modeled on a user in Domain A when thier user account is in Domain B.
      
      It would also be benefitail to be able to filter certain groups from automatically getting copied between users.
    • How would you like the group membership to be matched. For example I could imagine two scenarios:
      
      UserA in Domain A member of groups in Domain A
      USerB in Domain B copies memberships of userA, becomes a member of groups in Domain A
      
      UserC in Domain A member of groups in Domain A
      UserD in Domain B, matches group names of UserC to group names in Domain B becomes member of groups available in DomainB
      
      Which one of these options would you like, or are you looking for something different entirely?
  • What is $a?
    2 Posts | Last post March 26, 2012
    • Shouldn't $a in the last line of the script be $destacc?
    • Hi Richard, thanks for noticing there was indeed a typo there. I have corrected it and also updated the script with some extra functionality and correct checking of groups. Should be fine now.