Comparing Exchange security group members and Active Directory group members


  • Background:
    A while back I added a user to a mail-enabled security group from active directory, which caused the user to not receive emails from that group since I was supposed to add it from Exchange instead of AD.  I corrected my mistake, but want to double-check all mail-enabled security groups to ensure I didn't make any mistakes elsewhere.

    What I'm looking for:
    There are 30-40 of these mail-enabled security groups and up to 100 members per group, so I was looking for an easy way to compare members of the distribution group in Exchange, and the members of the group in Active Directory.  I really don't want to go through and do this manually through the console - it will probably be better if I can get both lists into CSVs and use Excel to sort them and compare them.

    I'm new-ish to PowerShell, so I'm not fully aware of what it is capable of.  So far I can only think to use Get-DistributionGroupMember to grab the members of one group.


    • Is there a way to automate this 'for each' mail-enabled security group?
    • What is the equivalent command in Active Directory PS?
    • Any simpler ideas of how to do this?

    Edit - Also, I should mention I'm using Exchange 2007

    • נערך על-ידי ElizabethCEE2010 יום שישי 02 מרץ 2012 22:01 additional info
    יום שישי 02 מרץ 2012 22:00


כל התגובות

  • This kind of comparison is difficult.  It is easy to check that a user exists in both groups, but there are 3 more options. 

    1. User exists in Group A, but not Group B

    2. User exists in Group B, but not Group A

    3. User does not exist in either Group A or Group B.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    שבת 03 מרץ 2012 05:17
  • I've been helped so many times from this forum I thought I would at least try to give you idea to play with. It sounds like you already have the Exchange cmdlets installed. You will need the Quest cmdlets installed for this code. If the code helps you out at all I can send you the code to save it to Excel and delete rows based on keywords to help with making the data more manageable, but I really don't know if the code will help at all so I didn't want to dump it all on you at once.  


    Get-DistributionGroup | % {
    $DistributionGroupName =  $_.Name

    $Members = Get-DistributionGroupMember -Identity $DistributionGroupName | select Name

    foreach($Member in $Members)  {

    Get-QADMemberOf $Member.Name | select Name
    Write-Host ""



    • נערך על-ידי mario.exe שבת 03 מרץ 2012 07:10 copied and pasted code twice by accident
    שבת 03 מרץ 2012 07:10
  • Hi,

    Do not know if I good understand what's going on, but try this:

    $GroupA = "your group"
    $ADGroupMember = Get-ADGroup $GroupA -Properties member | select -ExpandProperty member | Get-ADUser | select -exp Name
    $ExGroup = Get-DistributionGroup
    Foreach($Group in $ExGroup)
     $GroupB =  $Group.Name
     $ExGroupMember = Get-DistributionGroupMember $GroupB | select -exp name
     Compare-Object $ADGroupMember $ExGroupMember -IncludeEqual | select @{l="GroupA";e={$GroupA}}, @{l="GroupB";e={$GroupB}}, *

    If == exist in both
    If => exist only in groupB
    id <= exist only in groupA

    • הוצע כתשובה על-ידי Bigteddy יום שני 05 מרץ 2012 17:59
    שבת 03 מרץ 2012 15:40
  • I'm not sure I explained myself very clearly, so I'm going to explain again in case it changes your answers.

    I want to compare members of a group "Staff" in Exchange and in Active Directory.  They should be equal.  When I add a member of a mail-enabled security group in AD instead of Exchange, it doesn't add the member to the Exchange group; however, if I add a member to the same Exchange group, it adds them to the AD Group, no problem.  Again, I'm only talking about one group "Staff"

    So, a simple example of what I want (just for one group), is this:
    In the group "Staff" get a list of members in the Active directory group
    In the group "Staff" get a list of members in the Exchange group

    And lastly, I need to manually or automatically compare the two lists.  They should be the same, but if not, the active directory group will probably be larger.

    I need to do this for every group, but there are only 30-40, so if I need to do them one-by-one it's not a huge deal.

    I hope that helps - not sure if it changes your answers or not. 

    יום שני 05 מרץ 2012 16:32
  • By "Exchange groups", I assume you mean "Distribution group"?

    There are basically two types of group in AD: Distribution, and Security.  But these are both AD groups.  So when you refer to AD groups vs. Exchange groups, it gets a bit confusing.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    יום שני 05 מרץ 2012 16:37
  • It is a Mail-Enabled Universal Security Group in Exchange

    It looks like I don't have the Get-ADGroup cmdlet available.

    The term 'Get-ADGroup' is not recognized as the name of a cmdlet, function, scr
    ipt file, or operable program. Check the spelling of the name, or if a path was
     included, verify that the path is correct and try again.
    At line:1 char:29
    + $ADGroupMember = Get-ADGroup <<<<  $GroupA -Properties member | select -Expan
    dProperty member | Get-ADUser | select -exp Name
        + CategoryInfo          : ObjectNotFound: (Get-ADGroup:String) [], Command
        + FullyQualifiedErrorId : CommandNotFoundException

    יום שלישי 06 מרץ 2012 16:09
  • In that case, Michal's answer should suit.  Give it a try.  It looks to me like what you are looking for.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    יום שלישי 06 מרץ 2012 16:12
  • By the way, it's not in Exchange.  It's in Active Directory.  Yes, it shows in the Exchange GAL, but that's what's supposed to happen when it is mail-enabled.  Exchange does not have groups, period.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    • סומן כתשובה על-ידי Yan Li_Moderator יום שישי 09 מרץ 2012 01:24
    יום שלישי 06 מרץ 2012 16:14