Do you have several domain admins? Do too many people have their hands in the cookie jar? Do you have a need to monitor one or more AD groups? If you answered yes to any of the above questions, then this script is for you.
When I started at my current company a little over a year ago, I found that there were over 50 domain admins! Not all of these were actual users, a lot were service accounts – but still that was a lot for a medium sized, centrally located company.
Before I could get started on trimming that list down, I had to make sure more people weren’t getting added from time to time as I tried to clean it up. Additionally, once I had the privileged groups how I wanted them – I wanted to make sure they stayed that way. I didn’t want people playing shadow IT and adding unauthorized users to highly privileged groups.
Instead of creating my own script I found this awesome script that was already created and I highly recommend it!
A few notes:
DO NOT modify the script at all! When you call it (via command line or task scheduler), you pass all of the variables/parameters to the script.
Example of how to call script in Task Scheduler:
.\TOOL-MONITOR-AD_Group.ps1 -verbose -Group \”Domain Admins\”,\”Administrators\”,\”Enterprise Admins\”,\”Schema Admins\” -Emailfrom \”AD-Group-Monitor@yourdomain.com\” -EmailTo \”email@example.com\” -EmailServer \”emailserver.yourdomain.com\”
I have it set up to run once a day – you can change this to suite your needs.
The change log is included in the email by default and is very helpful! it does not include WHO added or removed a user, that can be tricky to track down. It will however, give you a sense of security knowing that you will be notified each time a highly privileged group is modified.
Here are the groups I am monitoring (for reference):
- Domain Admins
- Enterprise Admins
- Schema Admins
- <server admins>
- <linux admins>
- Exchange Domain Servers
- Mail Admins
- Exchange Administrators
- Organization Management
- <SQL admins>