Powershell‎ > ‎

Monitor AD Group

Monitoring an Active Directory group for Changes.


IF (Get-PSSnapin | where {$_.name -eq "quest.activeroles.admanagement"}) 
    {write-host "Quest Active Roles snapin already loaded"}
Else
    {add-PSSnapin  quest.activeroles.admanagement}

#Need to run the line below to update the approved list of members
#Get-QADGroupMember "domain admins" | select samaccountname | sort samaccountname | Export-Csv C:\temp\GRP_DA_Expected_Members.csv -NoTypeInformation
$GroupName = "Domain Admins"
$smtpServer = "mail.blah.com"
$To = "Kevin <kevin@blah.com>", "Joe <joe@blah.com>"
$From = "Kevin <kevin@blah.com>"

$FileExpectedAdmins = "C:\temp\GRP_DA_Expected_Members.csv"
$ExpectedDomainAdmins = get-content $FileExpectedAdmins
$currentDomainAdmins = Get-QADGroupMember $GroupName | select samaccountname | sort samaccountname | ConvertTo-Csv -NoTypeInformation

$grp =Get-QADGroup $GroupName

$CompareMembers = Compare-Object $ExpectedDomainAdmins $currentDomainAdmins

#List Added Members
$Added = $CompareMembers | where {$_.SideIndicator -eq "=>"}
#List Removed Members
$Removed = $CompareMembers | where {$_.SideIndicator -eq "<="}

If ($Added -eq $null -and $Removed -eq $null) 
    {Write-Host "No Changes have been found"}
Else {
    $message ="The "+ $GroupName + " group was last modified: " + $grp.whenChanged + "`r`n`r`n"
    $message = $message + "The following members have been Added: `r`n" 
    $message = $message + $(foreach ( $member in $Added) {$($member.inputobject)}) + "`r`n`r`n"
    $message = $message + "The following members have been removed: `r`n" 
    $message = $message + $(foreach ( $member in $removed) {$member.inputobject}) + "`r`n`r`n"
    $message = $message + "This script is running on " + $env:COMPUTERNAME
    #Send Email
    #PowerShell V2 has a new cmdlet Send-MailMessage
    Send-MailMessage -From $From -To $To -SmtpServer $smtpServer `
        -Subject "$GroupName Group has been changed" -Body $message -Attachments $FileExpectedAdmins
}

ToDo 

  1. Add emailing
  2. Attach expect members list to email
  3. Add Last modified time to the email
  4. Add a  If logic to only send email if changed

Get a list of Domain Admins

Use "lastlogontimestamp" instead of lastlogon because it is replicated to other DCs

http://ondotnet.com/pub/a/dotnet/excerpt/ADcookbook_chap1/index.html?page=2 

Get-QADGroupMember "domain admins" | select samaccountname, name, description, lastlogontimestamp | sort samaccount 

  

Comments