Compare AD User

by May 10, 2019

Did you ever want to compare the properties of ADUsers? Provided you have installed the RSAT tools, you can read individual AD users with Get-ADUser, but comparing their properties isn’t easy.

Except when you use below function: it basically splits up AD user properties into individual objects that can be compared using Compare-Object:

#requires -Version 3.0 -Modules ActiveDirectory

function Compare-User
{
    param
    (
        [Parameter(Mandatory)][String]
        $User1,

        [Parameter(Mandatory)][String]
        $User2,
        
        [String[]]
        $Filter =$null
    )


    function ConvertTo-Object
    {
  
        process
        {
            $user = $_
            $user.PropertyNames | ForEach-Object {
                [PSCustomObject]@{
                    Name = $_
                    Value = $user.$_
                    Identity = $user.SamAccountName
                }
            }
        }
    }

    $l1 = Get-ADUser -Identity $User1 -Properties * | ConvertTo-Object
    $l2 = Get-ADUser -Identity $User2 -Properties * | ConvertTo-Object

    Compare-Object -Ref $l1 -Dif $l2 -Property Name, Value | 
        Sort-Object -Property Name |
        Where-Object {
            $Filter -eq $null -or $_.Name -in $Filter
        }
}

Here is what the output might look like:

 

PS C:\> Compare-User -User1 student1 -User2 administrator

Name                                                                                     Value
----                                                                                     -----
accountExpires                                                                               0
accountExpires                                                             9223372036854775807
badPasswordTime                                                             131977150131836679
badPasswordTime                                                             131986685447368488
CanonicalName                                                     CCIE.LAN/Users/Administrator
CanonicalName                                                          CCIE.LAN/Users/student1
CN                                                                               Administrator
CN                                                                                    student1
Created                                                                    08.03.2019 10:31:50
Created                                                                    02.04.2019 09:13:17
createTimeStamp                                                            08.03.2019 10:31:50
createTimeStamp                                                            02.04.2019 09:13:17
Description                             Built-in account for administering the computer/domain
Description                                                                                   
DistinguishedName                                          CN=student1,CN=Users,DC=CCIE,DC=LAN
DistinguishedName                                     CN=Administrator,CN=Users,DC=CCIE,DC=LAN
dSCorePropagationData              ...2019 10:47:56, 08.03.2019 10:32:47, 01.01.1601 19:12:16}
dSCorePropagationData                               {02.04.2019 09:15:28, 01.01.1601 01:00:00}
isCriticalSystemObject                                                                    True
LastBadPasswordAttempt                                                     22.03.2019 08:56:53
LastBadPasswordAttempt                                                     02.04.2019 10:49:04
lastLogon                                                                   131986622819726136
lastLogon                                                                   131986685566131171
LastLogonDate                                                              02.04.2019 10:34:39
LastLogonDate                                                              02.04.2019 09:04:41
lastLogonTimestamp                                                          131986622819726136
lastLogonTimestamp                                                          131986676794218709
logonCount                                                                                 177
logonCount                                                                                   4
logonHours                                                             {255, 255, 255, 255...}
MemberOf                           ...CIE,DC=LAN, CN=Schema Admins,CN=Users,DC=CCIE,DC=LAN...}
MemberOf                           ...C=CCIE,DC=LAN, CN=Domain Admins,CN=Users,DC=CCIE,DC=LAN}
Modified                                                                   03.04.2019 11:26:30
Modified                                                                   02.04.2019 09:04:41
modifyTimeStamp                                                            03.04.2019 11:26:30
modifyTimeStamp                                                            02.04.2019 09:04:41
msDS-User-Account-Control-Computed                                                     8388608
msDS-User-Account-Control-Computed                                                           0
Name                                                                             Administrator
Name                                                                                  student1
ObjectGUID                                                6f5d7164-33cf-440a-af8c-3e973a1f381a
ObjectGUID                                                ffe12d2d-cfdd-41f6-8268-41c493786f90
objectSid                                        S-1-5-21-2389183542-1750168592-3050041687-500
objectSid                                       S-1-5-21-2389183542-1750168592-3050041687-1128
PasswordExpired                                                                           True
PasswordExpired                                                                          False
PasswordLastSet                                                                               
PasswordLastSet                                                            08.03.2019 09:41:25
pwdLastSet                                                                                   0
pwdLastSet                                                                  131965080857557947
SamAccountName                                                                        student1
SamAccountName                                                                   Administrator
SID                                             S-1-5-21-2389183542-1750168592-3050041687-1128
SID                                              S-1-5-21-2389183542-1750168592-3050041687-500
uSNChanged                                                                               25764
uSNChanged                                                                               24620
uSNCreated                                                                               24653
uSNCreated                                                                                8196
whenChanged                                                                02.04.2019 09:04:41
whenChanged                                                                03.04.2019 11:26:30
whenCreated                                                                08.03.2019 10:31:50
whenCreated                                                                02.04.2019 09:13:17
 

You can limit the output to only the attributes you are after, too:

 
PS C:\> Compare-User -User1 student1 -User2 administrator -Filter memberof, lastlogontime, logonCount, Name

Name                                                                                     Value
----                                                                                     -----
logonCount                                                                                 177
logonCount                                                                                   4
MemberOf   ...ise Admins,CN=Users,DC=CCIE,DC=LAN, CN=Schema Admins,CN=Users,DC=CCIE,DC=LAN...}
MemberOf   ...LAN, CN=Test1,CN=Users,DC=CCIE,DC=LAN, CN=Domain Admins,CN=Users,DC=CCIE,DC=LAN}
Name                                                                             Administrator
Name                                                                                  student1
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!