AD group comparison - PowerShell

Question

When using the following function (compare 2 user's group membership), I get results that do not make sense.

function Compare-ADUserGroups
{ #requires -pssnapin Quest.ActiveRoles.ADManagement

param (
 [string] $FirstUser = $(Throw "logonname required."),
 [string] $SecondUser = $(Throw "logonname required.")
)

$a = (Get-QADUser $FirstUser).MemberOf 
$b = (Get-QADUser $SecondUser).MemberOf
$c = Compare-Object -referenceObject $a -differenceObject $b 
$c | Sort-Object InputObject

}

When I call this (Compare-ADUserGroups User1 User2), I get a result set similar to the following:

• CN=[All Users],OU=adm,DC=OSUMC,DC=EDU <=
• CN=[All Users],OU=adm,DC=OSUMC,DC=EDU =>
• CN=Extended Users,OU=MSG,DC=OSUMC,DC=EDU <=
• CN=Extended Users,OU=MSG,DC=OSUMC,DC=EDU =>
• CN=LCS2005,OU=Distribution Lists,DC=OSUMC,DC=EDU <=
• CN=LCS2005,OU=Distribution Lists,DC=OSUMC,DC=EDU =>

I would expect these to not show given that they are equal and I am not using the -IncludeEqual parameter. Any ideas on why these are showing up?

Answer 1

There's something in them which is throwing off the comparison. You'll see something similar if you run...

get-process | export-clixml c\procs.xml Diff (get-process) (import-clixml c:\procs.xml)

Because SOME properties of those objects - things like VM and PM, for example, change in the brief interval between the two Get-Process runs. So it's possible that you're running into something similar, where some properties between the two objects are differing. By default, Compare-Object looks at every property.

An alternative is to use the -property param of Compare-Object to just compare specific properties, rather than comparing the entire object. Compare-Object can definitely be a bit tricky in this regard, because of the way it works with object properties rather than simply working with text.