3 Part AD Query

This topic contains 2 replies, has 3 voices, and was last updated by  Rob Simmers 5 months, 3 weeks ago.

  • Author
  • #69786


    I'm working a 3 part query but can't seem to figure out parts 2 & 3.

    Here's what I'm trying to accomplish: Our office uses AD groups to apply drive maps via group policy. We have so many divisions/groups that it's becoming difficult to manage who has what drive!

    The AD group name specifies what drive they are getting (ex 15-M) which means that the user will see division 15's network share as a letter "M" on their workstation. It's difficult to manage because people sometime belong to multiple "XX-M" groups (they might belong to 15-M & 16-M) — obviously they can only have a single M: drive so GP picks the one with a lower order number.

    The query I'm trying to run in PowerShell would do these three things:

    1) Collect all groups that end with "-M" For example, 15-M, 16-M, 17-M — you get the picture
    2) Get ALL members/samaccountnames from the groups returned in part #1. Create one big list that contains all samaccountnames for the "XX-M" groups
    3) Compare the compiled list and identify any duplicate names. Obviously if UserX shows up on that list more than once it would be problematic because that means he/she would be configured to receive multiple M: drives.

    Part #1 was no problem. But I can't seem to get part #2 to work & to be honest part #3 is well out of my realm. Even if I could get part 1 & 2 to work I could do a manual compare in Excel. I'm not looking for someone to completely answer this for me, I'm just doing a sanity check to make sure that my logic is correct. If anyone can point me in the right direct it would be greatly appreciated!

    Here's what I have so far:

    $targets = Get-ADGroup -Filter * -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com" | where name -Like "*-m" | select -ExpandProperty name
    foreach ($Person in $Targets) { 
        Get-ADGroupMember -Identity $targets | select name 
  • #69787

    Matt Bloomfield

    I think your logic is broadly correct. I would build a custom object that links the group name to the user:

    #Note use the -filter parameter to avoid getting all groups and then filtering with Where-Object
    $groups = Get-ADGroup -filter "Name -like '*-m'" -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com"
    $userArray = @()
    foreach ($group in $groups) {
        foreach ($user in Get-ADGroupMember $group) {
            $userObj = [PSCustomObject] @{
                groupName = $group.Name
                sAMAccountName = $user.sAMAccountName
            } #end $userObj creation
            $userArray += $userObj      
        } #end foreach $user
    } #end foreach $group

    Once you have an array of user objects you could export to CSV for sorting but, of course, you can also use PowerShell to process the results.


    $userArray | Group-Object sAMAccountName | Where-Object {$_.count -gt 1}

    Will give you all users that appear in more than one group.

  • #69790

    Rob Simmers

    Matt beat me to it...

    $groups = Get-ADGroup -Filter {Name -like "*-m"} -SearchBase "OU=Drive Mappings,OU=Groups,DC=company,DC=com"
    $groupMembers = foreach ($group in $groups) { 
        Get-ADGroupMember -Identity $group
    $groupMembers | 
    Group-Object -Property Name -NoElement | 
    Where{$_.Count -gt 1} 

You must be logged in to reply to this topic.