HKEY_LOCAL_MACHINE
Go back

Finding Common Active Directory Groups

Nothing fancy here. For a given set of usernames, we want to see which groups they all have in common.

Say you’ve got a list of 20 users and you need to find the common thread. Maybe you’re troubleshooting access, reviewing delegated permissions, or trying to understand why a particular right keeps appearing. The task is simple in theory: check every user’s group memberships and return only the groups that appear for every single one of them.

There are plenty of ways to approach this. The logic I landed on was straightforward: if we dump every user’s group names into one list, then any group that’s truly common between all users must appear exactly the same number of times as there are users being compared.

That thinking turns into something like this:

#Define array of usernames
$users = @("294808","296165","298287","296058","276710","25824","273156","277568","294933");

#Define list to hold all group names found
$groups = @();

# Loop through each username
foreach ($user in $users) {
	
	# get the users group memberships
	$usergroups = get-adprincipalgroupmembership $user

	# Append the list of groups names to the master group list
	$groups = $groups + $usergroups.name;

}

# Group and count occurrences of each group name where the count matches the number of users
$groups | group-object | where {$_.count -eq $users.count} | sort name | select name

If your source list of users needs to come from Active Directory instead of a static array, the approach stays the same. You just swap out the username definition for a get-aduser query. This might come from asking something like “What groups do all of my Admin account have in common?”.

The result then looks like (assuming your admin account names are all like ‘*admin*’):

# Get list of users from AD
$users = get-aduser -filter {samaccountname -like "*admin*"};

#Define list to hold all group names found
$groups = @();

# Loop through each username
foreach ($user in $users) {
	
	# get the users group memberships
	$usergroups = get-adprincipalgroupmembership $user.samaccountname

	# Append the list of groups names to the master group list
	$groups = $groups + $usergroups.name;

}

# Group and count occurrences of each group name where the count matches the number of users
$groups | group-object | where {$_.count -eq $users.count} | sort name | select name
Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
Analyzing Active Directory Attribute Usage
Next Post
Why Are Clients Authenticating to the Wrong Domain Controller?