contact@securehero.com
Google+
LinkedIn
YouTube

Active Directory User and Group Reporting: Groups with same direct members

blog

One way of getting rid of excessive groups is to find which groups have similar membership. The simplest case is when the list of direct members of a group matches another group’s list.

Groups with same direct members are not always a bad practice but they definitely need review.  As a result of this review one or a few of such groups might be considered duplicate. In this case all references to the duplicate groups must be replaced with another group with similar members. Not only it will help you simplify on-going management of remaining groups but it will also reduce a risk of “token bloat” issues stemming from having too many groups a user is a member of.

Here is a PowerShell code snippet that finds groups with matching direct members.

$groups = Get-AdGroup -filter {(member -like “*”)} -Properties member
$map = @{}
$groups | %{
   $members = [string]$_.member
   if($map.Contains($members)){
       $map[$members] = $map[$members] + @($_)
   }
   else{
       $map[$members] = @($_)
   }
}
$map.GetEnumerator() | ? { $_.Value.Count -gt 1 } | % { [string]$_.Value }

 

Like in the previous post about circular nested groups this script loads all Active Directory groups first.  Use the -SearchScope parameter to limit the scope of groups that will be examined. Depending on the number of groups under investigation the script might consume significant amount of time and CPU.

Once groups have been fetched the script builds a map of unique group memberships. The sorted list of group members serves as a key to that map. This way, when another group with the same list of direct members is found, the map looks up a matching group by the same key and adds another group into the same map element.

The output of this script shows sets of groups separated by a new line. Each set represents groups that have matching group members. Here is an example of the script output:

CN=Admins,OU=Groups,DC=toronto,DC=local CN=PrivAccess,OU=Groups,DC=toronto,DC=local
CN=All_Admins,OU=Groups,DC=toronto,DC=local

CN=group1,OU=Groups,DC=toronto,DC=local CN=distrib_group1,OU=Development,DC=tor
onto,DC=local

 

<< Active Directory User and Group Reporting: A practical guide for administrators

Tags: , , , , ,
Previous post Active Directory User and Group Reporting: Circular nested groups Next post Active Directory User and Group Reporting: Groups with same nested members

Related Articles