A powerful PowerShell tool to analyze and compare security group memberships between Active Directory users. Features an enhanced visual interface with color-coded output, export capabilities, and robust error handling to streamline auditing and ensure consistent user permissions.
AD-GroupAnalyzer is a comprehensive PowerShell utility designed to simplify the process of comparing Active Directory security group memberships between users. Whether you're auditing permissions, troubleshooting access issues, or ensuring consistent group assignments across similar roles, this tool provides an intuitive, color-coded interface that makes the comparison process efficient and visually clear.
-
Visual Enhancement: Color-coded output with formatted displays for easy readability
- Cyan headers and section dividers
- Green success messages
- Red error indicators
- Magenta highlighting for differences
- Numbered, sorted group lists
-
Flexible Comparison Options:
- View groups unique to User1
- View groups unique to User2
- View shared groups between both users
- Group count summaries
-
Export Capabilities: Generate timestamped text reports of all comparisons, automatically saved to your Desktop
-
Robust Error Handling:
- Clear error messages for non-existent users
- Automatic fallback to alternative retrieval methods
- Option to retry with different users or exit gracefully
-
User-Friendly Interface:
- Interactive menu system
- Ability to compare multiple user pairs without restarting
- Screen clearing for fresh comparisons
- Exit option available at any time
Active Directory Module: Ensure the Active Directory module is installed and available on your system. The script will automatically load this module.
-
Using the Control Panel
- Open the Control Panel
- Go to Programs and Features
- Click Turn Windows features on or off
- Expand Remote Server Administration Tools
- Expand Role Administration Tools
- Expand AD DS and AD LDS Tools
- Select Active Directory Module for Windows PowerShell
- Click OK
-
Using PowerShell
- Open PowerShell as Administrator
- Type the following command:
Install-Module ActiveDirectory -
Using Windows Server
- Open Server Manager
- Click Add Roles and Features
- Navigate to Features
- Expand Remote Server Administration Tools
- Expand Role Administration Tools
- Select AD DS and AD LDS Tools
- Complete the installation wizard
- Download the
security-group-user-comparisons.ps1script from this repository - Ensure you have the Active Directory PowerShell module installed (see Prerequisites)
- Verify you have appropriate permissions to query Active Directory
-
Run the Script: Execute the
security-group-user-comparisons.ps1script in your PowerShell environment.\security-group-user-comparisons.ps1
-
Enter Usernames: You will be prompted to input the usernames of two AD users you wish to compare
Enter the username of User1: jsmith Enter the username of User2: jdoe -
View Summary: The script displays a summary of total groups for each user
Summary: jsmith has 45 groups jdoe has 52 groups -
Choose an Option: The script provides an interactive menu with the following choices:
- Option 1: Groups that User1 has but User2 doesn't
- Option 2: Groups that User2 has but User1 doesn't
- Option 3: Groups that both users share
- Option 4: Export full comparison report to Desktop
- Option 5: Compare different users (start over with new usernames)
- Option 6: Exit the script
-
View Results: Based on the option selected, the script will display formatted, numbered results with color coding
Groups ONLY in jsmith
=====================
Total: 5 group(s)
1. Finance_Managers
2. HR_Admin
3. Payroll_Access
4. Senior_Staff
5. VPN_Power_Users
The script includes comprehensive error handling for common scenarios:
If a username doesn't exist in Active Directory:
✗ ERROR: User 'baduser' does not exist in Active Directory!
Would you like to try again with different users? (Y/N):
- Choose Y to clear the screen and enter new usernames
- Choose N to exit the script
If the primary group retrieval method fails, the script automatically attempts an alternative approach:
→ Using alternative method for username...
This fallback mechanism ensures maximum compatibility across different Active Directory configurations.
The export feature (Option 4) creates a comprehensive text report containing:
- Timestamp of report generation
- Total group counts for each user
- Groups unique to User1
- Groups unique to User2
- Shared groups between both users
Export Location: Reports are automatically saved to your Desktop with the naming format:
GroupComparison_User1_vs_User2_YYYYMMDD_HHMMSS.txt
Example: GroupComparison_jsmith_vs_jdoe_20241117_143052.txt
- Permissions: Ensure the user account running the script has sufficient permissions to query Active Directory group memberships
- Multiple Comparisons: Use Option 5 to compare multiple user pairs in a single session without restarting the script
- Auditing: Export reports for documentation and compliance purposes
- Troubleshooting: If you encounter consistent errors, verify:
- Active Directory module is properly installed
- You have network connectivity to domain controllers
- Your account has read permissions in Active Directory
- Performance: The script handles users with large numbers of group memberships efficiently through optimized retrieval methods
- Module Loading: Automatically loads the Active Directory module before proceeding
- Fetching Group Memberships: Uses
Get-ADPrincipalGroupMembershipwith automatic fallback toGet-ADUserwith MemberOf properties - Comparison Logic: Utilizes PowerShell's
Compare-Objectcmdlet for efficient group comparison - User Interaction: Provides an intuitive, numbered menu system with visual feedback
- Error Recovery: Intelligent error handling with retry mechanisms for invalid usernames
- Data Presentation: Formats output with color coding, numbering, and sorting for optimal readability
This project is open source and available under the MIT License.
Questions or Issues? Please open an issue on the GitHub repository.