Monitoring Active Directory Group Membership Changes

Monitoring Active Directory Group Membership Changes

For security reasons, users in an Active Directory (AD) network would be put in groups, and they will be granted or denied certain privileges according to the groups they belong to. This is done so that users do not have unnecessary access to sensitive organization information. However, the roles of the users in an organization keep changing, and hence, it is also important to monitor their group membership and change it accordingly. PowerShell can help make this task easy. Using the tool, administrators can collect the Windows Security Log to track an AD user account's group membership changes. This script can also be made to run periodically using Windows Task Scheduler. Here's the script that will let you monitor the AD groups and send an email if someone is changing the membership settings:
 
  1. # Get domain controllers list
  2. $DCs = Get-ADDomainController -Filter *

  3. # Define timeframe for report (default is 1 day)
  4. $startDate = (get-date).AddDays(-1)

  5. # Store group membership changes events from the security event logs in an array.
  6. foreach ($DC in $DCs){
  7. $events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4728 -or $_.eventID -eq 4729}}

  8. # Loop through each stored event; print all changes to security global group members with when, who, what details.

  9.   foreach ($e in $events){
  10.     # Member Added to Group

  11.     if (($e.EventID -eq 4728 )){
  12.       write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member added `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount added: "$e.ReplacementStrings[0]
  13.     }
  14.     # Member Removed from Group
  15.     if (($e.EventID -eq 4729 )) {
  16.       write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member removed `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount removed: "$e.ReplacementStrings[0]
  17.     }}


    • Related Articles

    • PowerShell for AD group reports

      Real-time insights on group membership, type, and scope can help Active Directory (AD) administrators manage group objects better. Many administrators use Microsoft's PowerShell technology to run basic queries and pull detailed information. Below are ...
    • PowerShell as an AD group management tool

      Group management can be quite a challenge for Active Directory (AD) administrators day in, day out. Many administrators use Microsoft's PowerShell technology to perform basic AD user management tasks. Below are some key PowerShell scripts and ...
    • How to get memberships of the Active Directory user using PowerShell

      One of the essential parts of Active Directory administration is to manage user memberships in Active Directory. There may be times when the membership of a specific user need to be identified. In this article, we will explain how to use PowerShell ...
    • How to create, copy and remove Active Directory users using PowerShell

      One of the most fundamental and often repeated task by an administrator is to create, copy or remove an Active directory user. Thanks to the New-ADUser cmdlet, it is extremely simple. Below are the PowerShell scripts to create, copy and remove an ...
    • List Attributes of any Active Directory object

      Most PowerShell scripts available in the internet can help administrators retrieve certain common attributes of an user, group, or a computer. Most scripts either document only specified attributes, or at best only the attributes that have been ...