Monitoring Active Directory Group Membership Changes
For security reasons, users in an Active Directory (AD) network would be put in groups, and they will be granted or denied certain privileges according to the groups they belong to. This is done so that users do not have unnecessary access to sensitive organization information. However, the roles of the users in an organization keep changing, and hence, it is also important to monitor their group membership and change it accordingly. PowerShell can help make this task easy. Using the tool, administrators can collect the Windows Security Log to track an AD user account's group membership changes. This script can also be made to run periodically using Windows Task Scheduler. Here's the script that will let you monitor the AD groups and send an email if someone is changing the membership settings:
- # Get domain controllers list
- $DCs = Get-ADDomainController -Filter *
- # Define timeframe for report (default is 1 day)
- $startDate = (get-date).AddDays(-1)
- # Store group membership changes events from the security event logs in an array.
- foreach ($DC in $DCs){
- $events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4728 -or $_.eventID -eq 4729}}
- # Loop through each stored event; print all changes to security global group members with when, who, what details.
- foreach ($e in $events){
- # Member Added to Group
- if (($e.EventID -eq 4728 )){
- write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member added `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount added: "$e.ReplacementStrings[0]
- }
- # Member Removed from Group
- if (($e.EventID -eq 4729 )) {
- write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member removed `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount removed: "$e.ReplacementStrings[0]
- }}
Related Articles
PowerShell for AD group reports
Real-time insights on group membership, type, and scope can help Active Directory (AD) administrators manage group objects better. Many administrators use Microsoft's PowerShell technology to run basic queries and pull detailed information. Below are ...PowerShell as an AD group management tool
Group management can be quite a challenge for Active Directory (AD) administrators day in, day out. Many administrators use Microsoft's PowerShell technology to perform basic AD user management tasks. Below are some key PowerShell scripts and ...How to get memberships of the Active Directory user using PowerShell
One of the essential parts of Active Directory administration is to manage user memberships in Active Directory. There may be times when the membership of a specific user need to be identified. In this article, we will explain how to use PowerShell ...How to create, copy and remove Active Directory users using PowerShell
One of the most fundamental and often repeated task by an administrator is to create, copy or remove an Active directory user. Thanks to the New-ADUser cmdlet, it is extremely simple. Below are the PowerShell scripts to create, copy and remove an ...Identifying Active Directory built-in groups
An Active Directory (AD) environment will contain a set of groups by default when a domain is created. These groups are built-in groups, and they are located in the built-in container. The built-in groups can be used to control access to shared ...