Comparing Exchange security group members and Active Directory group members
-
יום שישי 02 מרץ 2012 22:00
Background:
A while back I added a user to a mail-enabled security group from active directory, which caused the user to not receive emails from that group since I was supposed to add it from Exchange instead of AD. I corrected my mistake, but want to double-check all mail-enabled security groups to ensure I didn't make any mistakes elsewhere.What I'm looking for:
There are 30-40 of these mail-enabled security groups and up to 100 members per group, so I was looking for an easy way to compare members of the distribution group in Exchange, and the members of the group in Active Directory. I really don't want to go through and do this manually through the console - it will probably be better if I can get both lists into CSVs and use Excel to sort them and compare them.I'm new-ish to PowerShell, so I'm not fully aware of what it is capable of. So far I can only think to use Get-DistributionGroupMember to grab the members of one group.
Questions:
- Is there a way to automate this 'for each' mail-enabled security group?
- What is the equivalent command in Active Directory PS?
- Any simpler ideas of how to do this?
Edit - Also, I should mention I'm using Exchange 2007
- נערך על-ידי ElizabethCEE2010 יום שישי 02 מרץ 2012 22:01 additional info
כל התגובות
-
שבת 03 מרץ 2012 05:17
This kind of comparison is difficult. It is easy to check that a user exists in both groups, but there are 3 more options.
1. User exists in Group A, but not Group B
2. User exists in Group B, but not Group A
3. User does not exist in either Group A or Group B.
Grant Ward, a.k.a. Bigteddy
-
שבת 03 מרץ 2012 07:10
I've been helped so many times from this forum I thought I would at least try to give you idea to play with. It sounds like you already have the Exchange cmdlets installed. You will need the Quest cmdlets installed for this code. If the code helps you out at all I can send you the code to save it to Excel and delete rows based on keywords to help with making the data more manageable, but I really don't know if the code will help at all so I didn't want to dump it all on you at once.
cls
Get-DistributionGroup | % {
$DistributionGroupName = $_.Name$Members = Get-DistributionGroupMember -Identity $DistributionGroupName | select Name
foreach($Member in $Members) {
$DistroGroupName
$Member.Name
Get-QADMemberOf $Member.Name | select Name
Write-Host ""
}
}- נערך על-ידי mario.exe שבת 03 מרץ 2012 07:10 copied and pasted code twice by accident
-
שבת 03 מרץ 2012 15:40
Hi,
Do not know if I good understand what's going on, but try this:
$GroupA = "your group" $ADGroupMember = Get-ADGroup $GroupA -Properties member | select -ExpandProperty member | Get-ADUser | select -exp Name $ExGroup = Get-DistributionGroup Foreach($Group in $ExGroup) { $GroupB = $Group.Name $ExGroupMember = Get-DistributionGroupMember $GroupB | select -exp name Compare-Object $ADGroupMember $ExGroupMember -IncludeEqual | select @{l="GroupA";e={$GroupA}}, @{l="GroupB";e={$GroupB}}, * }If == exist in both
If => exist only in groupB
id <= exist only in groupA- הוצע כתשובה על-ידי BigteddyMicrosoft Community Contributor יום שני 05 מרץ 2012 17:59
-
יום שני 05 מרץ 2012 16:32
I'm not sure I explained myself very clearly, so I'm going to explain again in case it changes your answers.
I want to compare members of a group "Staff" in Exchange and in Active Directory. They should be equal. When I add a member of a mail-enabled security group in AD instead of Exchange, it doesn't add the member to the Exchange group; however, if I add a member to the same Exchange group, it adds them to the AD Group, no problem. Again, I'm only talking about one group "Staff"
So, a simple example of what I want (just for one group), is this:
In the group "Staff" get a list of members in the Active directory group
In the group "Staff" get a list of members in the Exchange groupAnd lastly, I need to manually or automatically compare the two lists. They should be the same, but if not, the active directory group will probably be larger.
I need to do this for every group, but there are only 30-40, so if I need to do them one-by-one it's not a huge deal.
I hope that helps - not sure if it changes your answers or not.
-
יום שני 05 מרץ 2012 16:37
By "Exchange groups", I assume you mean "Distribution group"?
There are basically two types of group in AD: Distribution, and Security. But these are both AD groups. So when you refer to AD groups vs. Exchange groups, it gets a bit confusing.
Grant Ward, a.k.a. Bigteddy
-
יום שלישי 06 מרץ 2012 16:09
It is a Mail-Enabled Universal Security Group in Exchange
It looks like I don't have the Get-ADGroup cmdlet available.
The term 'Get-ADGroup' is not recognized as the name of a cmdlet, function, scr
ipt file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:29
+ $ADGroupMember = Get-ADGroup <<<< $GroupA -Properties member | select -Expan
dProperty member | Get-ADUser | select -exp Name
+ CategoryInfo : ObjectNotFound: (Get-ADGroup:String) [], Command
NotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException- נערך על-ידי ElizabethCEE2010 יום שלישי 06 מרץ 2012 16:12
- נערך על-ידי ElizabethCEE2010 יום שלישי 06 מרץ 2012 16:20
-
יום שלישי 06 מרץ 2012 16:12In that case, Michal's answer should suit. Give it a try. It looks to me like what you are looking for.
Grant Ward, a.k.a. Bigteddy
-
יום שלישי 06 מרץ 2012 16:14 By the way, it's not in Exchange. It's in Active Directory. Yes, it shows in the Exchange GAL, but that's what's supposed to happen when it is mail-enabled. Exchange does not have groups, period.
Grant Ward, a.k.a. Bigteddy
- סומן כתשובה על-ידי Yan Li_Microsoft Contingent Staff, Moderator יום שישי 09 מרץ 2012 01:24
.png)
