Monitor AD Group

Monitoring an Active Directory group for Changes.

IF (Get-PSSnapin | where {$_.name -eq "quest.activeroles.admanagement"})      {write-host "Quest Active Roles snapin already loaded"} Else     {add-PSSnapin  quest.activeroles.admanagement}  #Need to run the line below to update the approved list of members #Get-QADGroupMember "domain admins" | select samaccountname | sort samaccountname | Export-Csv C:\temp\GRP_DA_Expected_Members.csv -NoTypeInformation $GroupName = "Domain Admins" $smtpServer = "mail.blah.com" $To = "Kevin <kevin@blah.com>", "Joe <joe@blah.com>" $From = "Kevin <kevin@blah.com>"  $FileExpectedAdmins = "C:\temp\GRP_DA_Expected_Members.csv" $ExpectedDomainAdmins = get-content $FileExpectedAdmins $currentDomainAdmins = Get-QADGroupMember $GroupName | select samaccountname | sort samaccountname | ConvertTo-Csv -NoTypeInformation  $grp =Get-QADGroup $GroupName  $CompareMembers = Compare-Object $ExpectedDomainAdmins $currentDomainAdmins  #List Added Members $Added = $CompareMembers | where {$_.SideIndicator -eq "=>"} #List Removed Members $Removed = $CompareMembers | where {$_.SideIndicator -eq "<="}  If ($Added -eq $null -and $Removed -eq $null)      {Write-Host "No Changes have been found"} Else {     $message ="The "+ $GroupName + " group was last modified: " + $grp.whenChanged + "`r`n`r`n"     $message = $message + "The following members have been Added: `r`n"      $message = $message + $(foreach ( $member in $Added) {$($member.inputobject)}) + "`r`n`r`n"     $message = $message + "The following members have been removed: `r`n"      $message = $message + $(foreach ( $member in $removed) {$member.inputobject}) + "`r`n`r`n"     $message = $message + "This script is running on " + $env:COMPUTERNAME     #Send Email     #PowerShell V2 has a new cmdlet Send-MailMessage     Send-MailMessage -From $From -To $To -SmtpServer $smtpServer `         -Subject "$GroupName Group has been changed" -Body $message -Attachments $FileExpectedAdmins }

ToDo 

Get a list of Domain Admins

Use "lastlogontimestamp" instead of lastlogon because it is replicated to other DCs

http://ondotnet.com/pub/a/dotnet/excerpt/ADcookbook_chap1/index.html?page=2

Get-QADGroupMember "domain admins" | select samaccountname, name, description, lastlogontimestamp | sort samaccount