Putting exactly the same members into different groups is not the only way to create duplicate groups. Because Active Directory allows nested groups, two seemingly different groups might end up having same “effective” user members. Consider this simple example:
GroupA GroupB
——–>GroupAA ———–>GroupBB
———————>UserA ————————->UserB
UserB UserA
GroupA and GroupB have totally different direct members. However, when membership of nested groups GroupAA and GroupBB is expanded, the list of resulting user members starts to match!
Groups that have the same effective members should be closely examined to see if some of them are redundant. This best practice makes your access control policies more transparent and error proof.
Unfortunately, there is no easy way to detect groups with same nested members with native tools. Trying to accomplish this with a PowerShell script is challenging but possible. When devising such a script consider the following:
1. The script has to fetch every Active Directory group along with the full list of its members.
2. For every Active Directory group that has a nested group, another query has to be executed to get the list of the nested group members.
3. While expanding nested group members, make sure to check for circular groups to avoid infinite recursion.
4. Since all groups and their nested members have to be queried, the script might consume a lot of RAM and CPU. Run the script on a computer with adequate system resources.
5. Depending on the number of nested groups, script might issue a lot of LDAP queries to a domain controller. It is recommended to limit the scope of the group comparison to select OUs and run the script during non business hours to minimize the impact on domain controllers.
Now, happy scripting!
<< Active Directory User and Group Reporting: A practical guide for administrators