New script: Compare group membership of AD accounts

Today I laid down the last lines of code on a script that compares group membership between two Active Directory User Accounts. Based on the the differences in group membership the group membership of the destination account is modified. This scripts only prompts for information through a user interface, making it easy to use. The script is available in the TechNet Script Center Repository.
GUI – Compare group membership of two users and change user membership

Although the script is completely GUI driven it does accept two parameters, sourceaccount & destinationaccount. If the parameters are not supplied the script will prompt the user for both the Source and the Destination account as such.

I made the choice to use the Visual Basic assembly in order to display and gather the information. At the start of the script I use the following line of code to load this assembly:


And then using the Microsoft.VisualBasic.Interaction to create the input box in which the source account can be entered:

[Microsoft.VisualBasic.Interaction]::InputBox("Text", "Title", "Defaultvalue")

Followed by a prompt for the Destination user, the user on which the changes to group membership will be applied.

Assuming both users exist, the script will now verify if there are any differences in group membership. It looks for two differences:

  • Groups that the source user is a member of and the destination user is not
  • Groups that the destination user is a member of and the source user is not

I am using the Compare-Object Cmdlet to compare the group membership of both users using the property SideIndicator to determine which account is a member of what groups using the following code:

compare-object $destmember.memberof $sourcemember.memberof |
where-object {$_.sideindicator -eq '=>'})

Using this logic we can also determine which groups the destination user is a member of by either switching around the SideIndicator or the order of the $destmember and $sourcemember objects.

If there are any differences in either category, the script will prompt the user with the action it intends to take.

The list of groups that is displayed in this window is a combination of the Compare-Object output which I expand using the Select-Object Cmdlet. The output is then piped into a Foreach-Object loop in which the group names are stripped of their distinguished name to present a more readable format. This is done by using a regular expression combined with the split command. The complete list of clean group names is then joined up and placed on separate lines using the -join command. Here is an example of the code I used for this:

(Compare-Object $destmember.memberof $sourcemember.memberof |
where-object {$_.sideindicator -eq '=>'} | Select -Expand Inputobject |
Foreach {([regex]::split($_,'^CN=|,.+$'))[1]}) -join "`n"

Similarly if the destination user has group membership of a group the source user is not a member of, the script will prompt if the destination user should be removed from those groups.

Based on the answers given on these prompts, the script will now execute one of these options:

  • Nothing
  • Add destination user to source user’s groups
  • Remove destination user from any groups that source is not a member of
  • Both add and remove the destination user from any groups that match the source users account. Effectively cloning group membership.

After the script completes it will display a message informing the user that the actions have successfully been executed.

That is the basic functionality of this script, it allows for easy cloning of group memberships using PowerShell. This script does require the ActiveDirectory module to be installed on the machine on which it is executed. Let me know what you think of this script!


1 thought on “New script: Compare group membership of AD accounts

  1. riccardo

    Hi Jaap,
    thank you for sharing this script!
    Could you help me in modify it for compare group membership of AD groups?


Leave a Reply