0

Not sure if this is even possible, but I'm trying to compare properties of an ADgroup object and a PSCustomObject object. We're in the middle of a user audit which requires validating a list of active employees against our active AD user accounts along with their AD group memberships. Here's a basic breakdown of what I have so far:

(we're defining two separate search paths because we have groups in different OUs)

  • $mainGroups = get-adgroup -filter * -searchbase 'OU_here'
  • $subGroups = get-adgroup filter * -searchbase 'Different_OU_here'

List of usernames from HR system

  • $sourceUsers = get-content -path 'c:\temp\users.txt'

List of usernames from AD

  • $ADUserName = get-aduser -filter * -searchbase 'User_OU' -searchscope subtree | select -expandproperty SamAccountName

Empty array to store custom object/properties

  • $userObjEQ = @()

Compare HR to AD

  • $compareResults = compare-object -referenceobject $sourceUsers -differenceObject $ADUserName

  • Find group memberships of all matching users, create custom object, etc

    foreach ($result in $compareResults) { if ($result.SideIndicator -eq '==') { $groupMem = get-adprincipalgroupmembership -identity $result.InputObject } $userObjEQ += [pscustomobject] @{ 'UserName' = $result.InputObject 'Groups' = $groupMem.Name } }

From this point on, I want to compare every group from each matching user to the group name from the $mainGroups to see if there's a match. If there isn't then compare it to the $subGroups group names. If there's a match do nothing, if there's a mismatch, output the username along with any mismatched group names. Just not sure how best to compare these objects. Any hints will be appreciated.

Improve this question
2
  • So you have a List of Users. You want to get the ADGroups each user is in? Commented Jun 7, 2017 at 16:05
  • @ArcSet No sorry, I have a list of active users from our HR dept. I've stored the usernames from that list into the sourceUsers variable. Then I grabbed a list of usernames from active AD users. I compare both list and extract only the usernames that match. What I did from there is grabbed a list of all groups that each matching user belongs to. What I want to do now is figure out how to compare each matching user's group to the groups found in the $mainGroups and $subGroups OU. Sorry if I'm not explaining it well. Commented Jun 7, 2017 at 16:49

1 Answer 1

Reset to default
1

If your groups are arrays, then use the -contains operator -- if they're not, make them arrays: 

foreach ($u in $users) { foreach ($groupdn in $u.memberof) { if ($mainGroups -contains $ug -or $subGroups -contains $ug) { ## do something when the users' group exists in the checked sub-groups } } }

...this assumes the $maingroups array is an array of group DNs...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

nvm, i think i get what you're doing there. I modified the logic to match my current script and it seems to be doing what I want, so I will accept this as the answer.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.