Comparing Security Groups

Every environment has to deal with software upgrades. Sometimes, these upgrades can get messy. For example, we recently centralized on Adobe Photoshop Elements 11. We previously used a mixture of version 2, 4, and 6. Every site (22 in total) had software deployment security groups for each version. We needed a way to compare members between the new security groups (including nested groups)  and the old groups.

Sounds like a solution for PowerShell!

First, we need a way to compare the two security groups. To do this, we will use the compare-object cmdlet.

compare-object -ReferenceObject $(Get-QADGroupMember “Group 1″ -type computer -Indirect) -DifferenceObject $(Get-QADGroupMember “Group 2” -type computer -Indirect) -IncludeEqual -ExcludeDifferent

The above line will take all computer accounts found in Group 1 (plus any nested groups) and compare them to all computer accounts found in Group 2 (plus any nested groups). It will only show the computers that are in both groups (-includeequal) (-excludedifferent).

The output will give us two columns. The first column (InputObject) will list the computer names and the second column (SideIndicator) will show what group the computer is in. A == sign in the second column means the computer is in both groups.

Now that we have our list, we can pipe it to any other command. This can enable you to migrate groups, remove duplicates, etc.