Did you ever want to compare the properties of ADUsers? Provided you have installed the RSAT tools, you can read individual AD users with Get-ADUser, but comparing their properties isn’t easy.
Except when you use below function: it basically splits up AD user properties into individual objects that can be compared using Compare-Object:
#requires -Version 3.0 -Modules ActiveDirectory function Compare-User { param ( [Parameter(Mandatory)][String] $User1, [Parameter(Mandatory)][String] $User2, [String[]] $Filter =$null ) function ConvertTo-Object { process { $user = $_ $user.PropertyNames | ForEach-Object { [PSCustomObject]@{ Name = $_ Value = $user.$_ Identity = $user.SamAccountName } } } } $l1 = Get-ADUser -Identity $User1 -Properties * | ConvertTo-Object $l2 = Get-ADUser -Identity $User2 -Properties * | ConvertTo-Object Compare-Object -Ref $l1 -Dif $l2 -Property Name, Value | Sort-Object -Property Name | Where-Object { $Filter -eq $null -or $_.Name -in $Filter } }
Here is what the output might look like:
PS C:\> Compare-User -User1 student1 -User2 administrator Name Value ---- ----- accountExpires 0 accountExpires 9223372036854775807 badPasswordTime 131977150131836679 badPasswordTime 131986685447368488 CanonicalName CCIE.LAN/Users/Administrator CanonicalName CCIE.LAN/Users/student1 CN Administrator CN student1 Created 08.03.2019 10:31:50 Created 02.04.2019 09:13:17 createTimeStamp 08.03.2019 10:31:50 createTimeStamp 02.04.2019 09:13:17 Description Built-in account for administering the computer/domain Description DistinguishedName CN=student1,CN=Users,DC=CCIE,DC=LAN DistinguishedName CN=Administrator,CN=Users,DC=CCIE,DC=LAN dSCorePropagationData ...2019 10:47:56, 08.03.2019 10:32:47, 01.01.1601 19:12:16} dSCorePropagationData {02.04.2019 09:15:28, 01.01.1601 01:00:00} isCriticalSystemObject True LastBadPasswordAttempt 22.03.2019 08:56:53 LastBadPasswordAttempt 02.04.2019 10:49:04 lastLogon 131986622819726136 lastLogon 131986685566131171 LastLogonDate 02.04.2019 10:34:39 LastLogonDate 02.04.2019 09:04:41 lastLogonTimestamp 131986622819726136 lastLogonTimestamp 131986676794218709 logonCount 177 logonCount 4 logonHours {255, 255, 255, 255...} MemberOf ...CIE,DC=LAN, CN=Schema Admins,CN=Users,DC=CCIE,DC=LAN...} MemberOf ...C=CCIE,DC=LAN, CN=Domain Admins,CN=Users,DC=CCIE,DC=LAN} Modified 03.04.2019 11:26:30 Modified 02.04.2019 09:04:41 modifyTimeStamp 03.04.2019 11:26:30 modifyTimeStamp 02.04.2019 09:04:41 msDS-User-Account-Control-Computed 8388608 msDS-User-Account-Control-Computed 0 Name Administrator Name student1 ObjectGUID 6f5d7164-33cf-440a-af8c-3e973a1f381a ObjectGUID ffe12d2d-cfdd-41f6-8268-41c493786f90 objectSid S-1-5-21-2389183542-1750168592-3050041687-500 objectSid S-1-5-21-2389183542-1750168592-3050041687-1128 PasswordExpired True PasswordExpired False PasswordLastSet PasswordLastSet 08.03.2019 09:41:25 pwdLastSet 0 pwdLastSet 131965080857557947 SamAccountName student1 SamAccountName Administrator SID S-1-5-21-2389183542-1750168592-3050041687-1128 SID S-1-5-21-2389183542-1750168592-3050041687-500 uSNChanged 25764 uSNChanged 24620 uSNCreated 24653 uSNCreated 8196 whenChanged 02.04.2019 09:04:41 whenChanged 03.04.2019 11:26:30 whenCreated 08.03.2019 10:31:50 whenCreated 02.04.2019 09:13:17
You can limit the output to only the attributes you are after, too:
PS C:\> Compare-User -User1 student1 -User2 administrator -Filter memberof, lastlogontime, logonCount, Name Name Value ---- ----- logonCount 177 logonCount 4 MemberOf ...ise Admins,CN=Users,DC=CCIE,DC=LAN, CN=Schema Admins,CN=Users,DC=CCIE,DC=LAN...} MemberOf ...LAN, CN=Test1,CN=Users,DC=CCIE,DC=LAN, CN=Domain Admins,CN=Users,DC=CCIE,DC=LAN} Name Administrator Name student1
psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!