Powershell - Monitor Active Directory Groups membership change
UPDATE:The most recent update is availableon Github See also those related BlogPosts:
A couple of weeks back, my boss asked me to set a quick monitoring tool to check membership change made on Active Directory groups. In my case here i’m talking about “Domain Admins” and “Enterprise Admins”
Unfortunately we currently don’t have a tool in place to do this.
So why not taking advantage of Powershell ? :-)
Required -A Script to monitor a list of Groups -Create a Scheduled Task to run every minutes (if you set the Scheduled task on a Windows Server 2008R2 or a Windows 7, you might want to take a look at my previous post: Run this task every minute !!!)
Description This script will first check the members and export the result to a CSV file (if it does not exist yet) If a file already exist, it content will be compared with the result of $Members If different an email is sent to $EmailTo email with the member who has been added or removed.
Script http://gallery.technet.microsoft.com/Monitor-Active-Directory-4c4e04c7
#requires -version 2.0 # ############################################################################# # NAME: TOOL-Monitor-AD_DomainAdmins_EnterpriseAdmins.ps1 # # AUTHOR: Francois-Xavier CAT # DATE: 2012/02/01 # EMAIL: [email protected] # # COMMENT: This script is monitoring group(s) in Active Directory and send an email when # someone is added or removed # # REQUIRES: # -Quest AD Snapin # -A Scheduled Task # # VERSION HISTORY # 1.0 2012.02.01 Initial Version. # 1.1 2012.03.13 CHANGE to monitor both Domain Admins and Enterprise Admins # 1.2 2013.09.23 FIX issue when specifying group with domain 'DOMAIN\Group' # CHANGE Script Format (BEGIN, PROCESS, END) # ADD Minimal Error handling. (TRY CATCH) # # ############################################################################# BEGIN { TRY{ # Monitor the following groups $Groups = "Domain Admins","Enterprise Admins" # The report is saved locally $ScriptPath = (Split-Path ((Get-Variable MyInvocation).Value).MyCommand.Path) $DateFormat = Get-Date -Format "yyyyMMdd_HHmmss" # Email information $Emailfrom = "[email protected]" $Emailto = "[email protected]" $EmailServer = "emailserver.company.local" # Quest Active Directory Snapin if (!(Get-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction Silentlycontinue)) {Add-PSSnapin Quest.ActiveRoles.ADManagement} } CATCH{Write-Warning "BEGIN BLOCK - Something went wrong"} } PROCESS{ TRY{ FOREACH ($item in $Groups){ # Let's get the Current Membership $GroupName = Get-Qadgroup $item $Members = Get-QADGroupMember $item -Indirect | Select-Object Name, SamAccountName, DN $EmailSubject = "PS MONITORING - $GroupName Membership Change" # Store the group membership in this file $StateFile = "$($GroupName.domain.name)_$($GroupName.name)-membership.csv" # If the file doesn't exist, create one If (!(Test-Path $StateFile)){ $Members | Export-csv $StateFile -NoTypeInformation } # Now get current membership and start comparing it to the last lot we recorded # catching changes to membership (additions / removals) $Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name, SamAccountName, DN | Select-Object Name, SamAccountName, DN, @{n='State';e={ If ($_.SideIndicator -eq "=>"){ "Removed" } Else { "Added" } } } # If we have some changes, mail them to $Email If ($Changes) { $body = $($Changes | Format-List | Out-String) $smtp = new-object Net.Mail.SmtpClient($EmailServer) $smtp.Send($emailFrom, $emailTo, $EmailSubject, $body) } #Save current state to the csv $Members | Export-csv $StateFile -NoTypeInformation -Encoding Unicode } } CATCH{Write-Warning "PROCESS BLOCK - Something went wrong"} }#PROCESS END{"Script Completed"} #end region script ```
Leave a comment