AD Group Auditing with Powershell

Here’s another handy Powershell script Ive created. It borrows components from another(credited at the bottom of the post) and expands on the repadmin functionality in the Active Directory Powershell module. The main aim of this is to keep track of members being added or removed to Active Directory groups. There is functionality to do this within AD but if, like myself, you have no control over AD administration this may help you out.

I wanted to keep track of specific groups used for reporting & SharePoint site access that may also require database access. Being notified of additions to these groups by other teams/managers would allow me to identify & fill in missing database perms before they become a problem. Ill append a few example SQL queries as I go, to show how Im using it.

Here’s a quick flow of what Im doing here:

adauditcp

 

This can be ran regularly on any schedule just through task scheduler. It will always pick up the exact date/time that a user was removed or added to a group so how often you schedule it to run depends on how quickly you want to be notified of a change.

AD Tombstone Lifetime

This script is particularly helpful if you want to regularly report on changes to AD group members outside of AD administration. There is an attribute in AD called the Tombstone Lifetime that will sheer off metadata for groups after a certain time has elapsed. By default this is anywhere between 60 – 180 days. More info can be found here: AD DS: Tombstone Lifetime.

Now, if/when this “TSL” date is reached for a member in a group, the script below will overwrite their record in the table, marking the GroupState as LEGACY (more on this in the reference below) but showing no LastModified date. So if you want to retain these dates and you are unable or reluctant to increase the TSL in AD Id recommend regular outputs or backups of this output table.

The Script

I have commented the script as much as I can but if you have any questions or suggestions, drop me a comment below.

The Output

From this table you can see the member’s details. The 4 columns Ive not obscured show the current state of that member within that group. The columns are summarised below.

adauditout

GroupState

  • The options being PRESENT, ABSENT & LEGACY (More on this in the reference link below).

LastModified

  • This is the date of the last change for that member (in that group). As you can see we are either NOT enforcing a TSL date or it has been extended well beyond the default. 6 years+

AuditDate

  • This is the date I append in the script to keep track of when the record was last updated in this output table. In its present state, this will only update on a record when it has changed state. This logic can be changed by simply removing the following from the WHERE Clause on line 199.

ModifiedCount

  • This is the number of times the user has been added/removed from the group. IE. a count of 4 would mean they have been Added > Removed > Added > Removed & the status should show as Absent.

Example Queries

  • Members Added to groups in the past week

Simlarly, you could look at recently removed users by changing the GroupState in the WHERE clause to ‘ABSENT’

  • Last Audit Date with changes

More to follow…

References

To pull the metadata for the AD groups I used the script at the following site. It was then changed & edited to include more information on the members. There’s a great explanation of the script & the metadata over there too.

To check & build the regular expressions used to pull parts of the metadata out I used regex101. It was really handy for this as Im not too familiar with regex.

You may also like...

Leave a Reply