0

Not sure if this is even possible, but I'm trying to compare properties of an ADgroup object and a PSCustomObject object. We're in the middle of a user audit which requires validating a list of active employees against our active AD user accounts along with their AD group memberships. Here's a basic breakdown of what I have so far:

(we're defining two separate search paths because we have groups in different OUs)

  • $mainGroups = get-adgroup -filter * -searchbase 'OU_here'
  • $subGroups = get-adgroup filter * -searchbase 'Different_OU_here'

List of usernames from HR system

  • $sourceUsers = get-content -path 'c:\temp\users.txt'

List of usernames from AD

  • $ADUserName = get-aduser -filter * -searchbase 'User_OU' -searchscope subtree | select -expandproperty SamAccountName

Empty array to store custom object/properties

  • $userObjEQ = @()

Compare HR to AD

  • $compareResults = compare-object -referenceobject $sourceUsers -differenceObject $ADUserName

  • Find group memberships of all matching users, create custom object, etc

    foreach ($result in $compareResults) {
    if ($result.SideIndicator -eq '==') {
        $groupMem = get-adprincipalgroupmembership -identity $result.InputObject
    }
    $userObjEQ += [pscustomobject] @{
    'UserName' = $result.InputObject
    'Groups' = $groupMem.Name
    }
}

From this point on, I want to compare every group from each matching user to the group name from the $mainGroups to see if there's a match. If there isn't then compare it to the $subGroups group names. If there's a match do nothing, if there's a mismatch, output the username along with any mismatched group names. Just not sure how best to compare these objects. Any hints will be appreciated.

Improve this question
2
  • So you have a List of Users. You want to get the ADGroups each user is in? Commented Jun 7, 2017 at 16:05
  • @ArcSet No sorry, I have a list of active users from our HR dept. I've stored the usernames from that list into the sourceUsers variable. Then I grabbed a list of usernames from active AD users. I compare both list and extract only the usernames that match. What I did from there is grabbed a list of all groups that each matching user belongs to. What I want to do now is figure out how to compare each matching user's group to the groups found in the $mainGroups and $subGroups OU. Sorry if I'm not explaining it well. Commented Jun 7, 2017 at 16:49

1 Answer 1

Reset to default
1

If your groups are arrays, then use the -contains operator -- if they're not, make them arrays: 

foreach ($u in $users) {
   foreach ($groupdn in $u.memberof) {
      if ($mainGroups -contains $ug -or $subGroups -contains $ug) {
         ## do something when the users' group exists in the checked sub-groups
      }
   }
}

...this assumes the $maingroups array is an array of group DNs...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

nvm, i think i get what you're doing there. I modified the logic to match my current script and it seems to be doing what I want, so I will accept this as the answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.