Getting notified of Active Directory Group Membership…

by Andy Grogan on March 4, 2012 · 0 comments

in Monitoring, Powershell, Windows 2008, Windows 2008 R2

Ok, whilst this is not a Exchange focussed post, I am hoping that it will help some folks out there. I have over the years been in charge of some quite large Active Directory environments, which naturally have a number of Administrators – some of which are based in many locations and sometimes in different physical groups within a given company.

Now, in such scenarios you tend to to end up with people whom are responsible for the administration having different levels of discipline in controlling access to sensitive, key groups within the directory or who make changes in a dis-jointed fashion without communicating the changes. I think that most of us have encountered that person who will add a user into the “Domain Admins” or “Enterprise Admins” group to solve an immediate permissions issue (and of course by doing so committing a cardinal sin of any form of AD management) – and then forget to remove them.

In some organisations (especially large ones with lots of admins) this is usually only picked upon when there is an audit (this has happened to me on a number of occasions) and as “sods law” dictates you will be left looking kind of silly in front of the auditor that you just told that you run a ship toighter than Goldmember’s tiger!

Now, unless you have some form of dedicated group monitoring product – which is keeping track of who has been placed within your critical security groups – effective governance can be a little difficult (mainly down to the fact that as administrators you probably have 101 other things to be worried about) – so, I have written a very simple script in Powershell that will scan the group membership of any number of groups that you stipulate and send an e-mail to you which tells you who the current members of each group are.

You can schedule this script to run periodically (or depending on your organisational inspection policy) and review the results for irregularities.

This script is designed to be executed against Domain Controllers which are running Active Directory Management Gateway Service – therefore your environment will require at least one domain controller that conforms to the following:

It is recommended that you execute this script on a DC which has the Management Gateway service installed, if you only have a single domain controller with this service you will need to ensure that the $ADWSDC value at the top of the script is populated with the name of that DC ~ I would personally recommend that all of your Domain Controllers have this service installed.

You should also populate the $SMTPServer value with that of an SMTP server which you can relay the notification messages off of, as well as the $MessageFrom and $MessageTo values set (as the sender and recipient respectively for the report).

If you would like to add additional groups which are to be inspected by the script – have a look at the $strCriticalGroups constant – you can add additional groups but typing in their name (separating them via a comma) and saving the script.

The Script

You can view the script below and copy and paste it into a new PS1 script file on your domain controller. If you would like to schedule the script via the task Scheduler – there are some instructions here which explain how you can use Powershell scripts from the command line or via batch files, which can then be used with the Task Scheduler to run at periodic intervals.

# Active Directory Group Notification Reporting Script
# Author: Andy Grogan
# www.telnetport25.com
# Credits: sendMail function based upon code from the 
# Windows PowerShell Team: 
# http://blogs.msdn.com/b/powershell/archive/2009/10/30/sending-automated-emails-with-send-mailmessage-convertto-html-and-the-powershellpack-s-taskscheduler-module.aspx

$ADWSDC = "prod-dc-01"
$SMTPServer = "172.31.253.140"
$MessageFrom = "infoSec@prepad.local"
$MessageTo = "administrator@prepad.local"

Import-Module ActiveDirectory
[Array]$strCriticalGroups = "Enterprise Admins","Domain Admins","Exchange Servers"

function sendMail($strBody){

    $ErrorActionPreference = "Stop"                        
        try {                        
            $messageParameters = @{                        
                Subject = "Domain Group Notification Report Update"                        
                Body = $strBody                        
                From = $MessageFrom                        
                To = $MessageTo
                SmtpServer = $SMTPServer                        
            }                        
            Send-MailMessage @messageParameters -BodyAsHtml                        
        } catch {                        
            $_ |                         
                Out-File x:\grpMonSMTPerr.txt -Append -Width 1000                        
        }
}

$messBody += "<p>Please find enclosed your Group Monitoring Report: </p>"

foreach($grp in $strCriticalGroups){

    $GroupMembers = Get-ADGroupMember $grp -Server $ADWSDC
    $messBody += "<h1>" + $grp + "</h1>" + "<br>"
    foreach($member in $GroupMembers){
        $messBody += $member.Name + "<br>"
    }
    
}
sendMail $messBody

The following is some sample output from the script:

adGroupsMonExample

{ 0 comments… add one now }

Leave a Comment

*

Previous post:

Next post: