The following case is certainly not an everyday occurrence: The aim was to monitor an Active Directory group for certain members. Only very specific user accounts should be present in this group, all additional or remote members should be reported.
I quickly created a small PowerShell script in which the users who should be in the Active Directory group are specified. Deviations from the configured list are reported by e-mail. If anyone can use something similar, here is my approach:
$ADGroup = "MyADGroup"
$AllowedMembers = @(
'User1'
'User2'
'User3'
)
$SmtpServer = "smtp.frankysweb.local"
$From = "GroupWarning@frankysweb.de"
$To = "frank@frankysweb.de"
$Subject = "Warning"
#import AD-Module
Import-Module ActiveDirectory
#fetch Groupmember from AD
$ADGroupMembers = Get-ADGroup $ADGroup | Get-ADGroupMember -Recursive | select SamAccountName,name
#compare groupmembers with allowedmembers
$Difference = Compare-Object -ReferenceObject $ADGroupMembers.SamAccountName -DifferenceObject $AllowedMembers
if ($Difference)
{
#User allowed, but not member of the group
$NotGroupMember = ($Difference | where {$_.SideIndicator -eq "=>"}).InputObject
#User is member of the group, but not allowed
$NotAllowedMember = ($Difference | where {$_.SideIndicator -eq "<="}).InputObject
#Build mail
$Mail = "
User is not allowed to be member of the group $ADGroup :
$NotAllowedMember
User is allowed to be member of the group $ADGroup, but isn't member:
$NotGroupMember
"
#Send mail
Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Body $Mail -BodyAsHtml -Subject $Subject
}
The script was then simply started every hour as a task. Perhaps someone can do something with it and use / modify it for themselves. Of course, this is no substitute for proper auditing, this is simply a short email if the members of a group no longer fit. The mail will look something like this:
