AD PowerShell – Monitor [privileged] groups

Do you have several domain admins? Do too many people have their hands in the cookie jar? Do you have a need to monitor one or more AD groups? If you answered yes to any of the above questions, then this script is for you.

 


Our scenario:

When I started at my current company a little over a year ago, I found that there were over 50 domain admins! Not all of these were actual users, a lot were service accounts – but still that was a lot for a medium sized, centrally located company.

Before I could get started on trimming that list down, I had to make sure more people weren’t getting added from time to time as I tried to clean it up. Additionally, once I had the privileged groups how I wanted them – I wanted to make sure they stayed that way. I didn’t want people playing shadow IT and adding unauthorized users to highly privileged groups.

Instead of creating my own script I found this awesome script that was already created and I highly recommend it!

You can find the script here on TechNet and instructions on how to use it here on his own blog


A few notes:

DO NOT modify the script at all! When you call it (via command line or task scheduler), you pass all of the variables/parameters to the script.

Example of how to call script in Task Scheduler:

.\TOOL-MONITOR-AD_Group.ps1  -verbose -Group \”Domain Admins\”,\”Administrators\”,\”Enterprise Admins\”,\”Schema Admins\” -Emailfrom \”AD-Group-Monitor@yourdomain.com\” -EmailTo \”yourgroup@yourdomain.com\” -EmailServer \”emailserver.yourdomain.com\”

I have it set up to run once a day – you can change this to suite your needs.

The change log is included in the email by default and is very helpful! it does not include WHO added or removed a user, that can be tricky to track down. It will however, give you a sense of security knowing that you will be notified each time a highly privileged group is modified.

Here are the groups I am monitoring (for reference):

  • Domain Admins
  • Administrators
  • Enterprise Admins
  • Schema Admins
  • <server admins>
  • <linux admins>
  • Exchange Domain Servers
  • Mail Admins
  • Exchange Administrators
  • Organization Management
  • <SQL admins>

 

akers8806

Leave a Reply

Your email address will not be published. Required fields are marked *