A while back (almost 7 years ) I wrote a post on finding the common AD groups of a set of users using T-SQL. This is pretty handy when you need to set up permissions for
- A group of people
- Only want to use AD groups for your security (it’s a good idea)
- They have no idea what AD group they should use (virtually. every. single. time.)
The T-SQL version works great, but it does have a couple of flaws. The biggest one being you need to be able to impersonate each of the users. The other is that it’s T-SQL which is great, but when you only have T-SQL it’s a bit restrictive. Recently one of my co-workers (Thanks Andrew!) gave me a handy dandy little PowerShell script that does almost exactly the same thing.
Initially I had planned on having you run a script to create some windows users and groups, but I discovered that one of these commands (guess which ) will only work if AD is set up, and I didn’t have time (or the knowledge) to get it set up on my Azure VM. So instead let’s go straight to the PowerShell script.
$ADGroups=Get-ADPrincipalGroupMembership Dopey | select name
$ADGroups2=Get-ADPrincipalGroupMembership Sleepy | select name
#Compare-Object $ADGroups $ADGroups2
Compare-Object $ADGroups $ADGroups2 -IncludeEqual
I will note that I had a hard time getting this to run initially. I found some answers here. Specifically I ran this script.
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
And I ended up with this output:
InputObject SideIndicator
----------- -------------
@{name=Dwarves} =>
@{name=DwarvesLikeKen} =>
Which are the two groups that Dopey and Sleepy belong to. The important commands are:
Get-ADPrincipalGroupMembership : Pretty obvious what this one does.
Compare-Object : This is a pretty neat command that compares two sets of objects. It returns any differences with <= or => to tell you which set of objects the value is in. If you include -IncludeEqual then you will also see == in any cases where the value is in both sets.