<#
####################################################################
 Compare-UserGroups.ps1

 Syntax:  Compare-UserGroups.ps1 -srcDomain <SourceDomain> -destDomain <DestinationDomain> -srcsAMAccountName <UserNetbiosName> -destsAMAccountName <UserNetbiosName>

 Example: Compare-UserGroups.ps1 -srcDomain domain1.local -destDomain woodgrovebank.com -srcsAMAccountName carlh -destsAMAccountName carlh

 Purpose: Compares the DIRECT Group Membership of 2 user accounts.
          Be aware that it compares the Netbios names (sAMAccountName) of the groups
          and is only useful either within a domain\forest or after a migration
          of a user account between domains where the group names have not been changed
          as a consequence of the migration.

 Params:  As shown in syntax above or by typing the script name at the command prompt

 Req:     Windows 2003 SP2 or above, Powershell V2.
          run "set-executionpolicy remotesigned" in Powershell

          http://blogs.technet.com/b/carlh

 Author:  Carl Harrison

    This script is provided "AS IS" with no warranties, confers no rights and 
    is not supported by the authors or authors employer. 
    Use of this script sample is subject to the terms specified at 
    http://www.microsoft.com/info/copyright.mspx.

 Version: 1.0 - First cut

####################################################################
#>

Param (
	[Parameter()][string]$srcDomain='',
	[Parameter()][String]$destDomain='',
    [Parameter()][String]$srcsAMAccountName='',
    [Parameter()][String]$destsAMAccountName='')

Function Compare-GroupsHelp () {
$helptext=@"
NAME: Compare-UserGroups.ps1

Compares the DIRECT Group Membership of 2 user accounts
Be aware that it compares the Netbios names (sAMAccountName) of the groups
and is only useful either within a domain\forest or after a migration
of a user account between domains where the group names have not been changed
as a consequence of the migration.

PARAMETERS:
-srcDomain          Source Domain (Required)
-destDomain         Destination Domain (Required)
-srcsAMAccountName  Netbios name of the user account in the source domain (Required)
-destsAMAccountName Netbios name of the user account in the destination domain (Required)

SYNTAX:
Compare-UserGroups.ps1 -srcDomain domain1.local -destDomain woodgrovebank.com -srcsAMAccountName carlh -destsAMAccountName carlh2

Thsi compares the group memberships that carlh from domain1.local has in domain1.local
with the group memberships that carlh from woodgrovebank.com has in woodgrovebank.com

"@
$helptext
exit
}

Function Get-LDAPUser ($UserName, $SourceDomain) {
    $domain1 = new-object DirectoryServices.DirectoryEntry ("LDAP://$SourceDomain")
    $searcher = new-object DirectoryServices.DirectorySearcher($domain1)
    $searcher.filter = "(&(objectClass=user)(sAMAccountName= $UserName))"
    $searcher.findone().getDirectoryEntry()
    $domain1 =""
}


if(!($srcDomain)) {"Source Domain Required";Compare-GroupsHelp}
if(!($destDomain)) {"Destination Domain Required";Compare-GroupsHelp}
if(!($srcsAMAccountName)) {"Netbios Name or Source Account Required";Compare-GroupsHelp}
if(!($destsAMAccountName)) {"Netbios Name or Destination Account Required";Compare-GroupsHelp}

$srcUserGroupsFile = '.\srcUserGroupsFile.txt'
$destUserGroupsFile = '.\destUserGroupsFile.txt'


Write-Host
$srcUser = get-ldapuser $srcsAMAccountName $srcDomain
Write-Host $srcUser.displayName "is a member of" $srcUser.memberOf.Count " groups in domain $srcDomain. The groups are:"
$srcUser.memberOf | ft
Write-Host
$destUser = get-ldapuser $destsAMAccountName $destDomain
Write-Host $destUser.displayName "is a member of" $destUser.memberOf.Count " groups in domain $destDomain. The groups are:"
$destUser.memberOf | ft

Write-Host

$srcUserGroups = @()
$srcGroupsDN = @()
$destUserGroups = @()
$destGroupsDN = @()

Foreach($Group in $srcUser.memberOf)
    {
    $GroupsAMAccountName = ([ADSI]"LDAP://$Group").sAMAccountName.value
    #$GroupsAMAccountName
    $srcUserGroups += "$GroupsAMAccountName"
    $srcGroupsDN += $Group.tostring()
    }
Foreach($Group in $destUser.memberOf)
    {
    $GroupsAMAccountName = ([ADSI]"LDAP://$Group").sAMAccountName.value
    #$GroupsAMAccountName
    $destUserGroups += "$GroupsAMAccountName"
    $destGroupsDN += $Group.tostring()
    }

$srcGroupsDN | Out-File $srcUserGroupsFile
$destGroupsDN | Out-File $destUserGroupsFile

Compare-Object $srcUserGroups $destUserGroups -SyncWindow 100

$destUser = ""
$srcUser = ""