Quick & Dirty: Monitor Active Directory group for members

by

The following case is certainly not an everyday occurrence: The aim was to monitor an Active Directory group for certain members. Only very specific user accounts should be present in this group, all additional or remote members should be reported.

I quickly created a small PowerShell script in which the users who should be in the Active Directory group are specified. Deviations from the configured list are reported by e-mail. If anyone can use something similar, here is my approach:

$ADGroup = "MyADGroup"
$AllowedMembers = @(
    'User1'
    'User2'
    'User3'
	)
$SmtpServer = "smtp.frankysweb.local"
$From = "GroupWarning@frankysweb.de"
$To = "frank@frankysweb.de"
$Subject = "Warning"

#import AD modules
 Import-Module ActiveDirectory
	
#fetch Groupmember from AD
 $ADGroupMembers = Get-ADGroup $ADGroup | Get-ADGroupMember -Recursive | select SamAccountName,name

#compare groupmembers with allowedmembers
 $Difference = Compare-Object -ReferenceObject $ADGroupMembers.SamAccountName -DifferenceObject $AllowedMembers
  if ($Difference)
   {
    #User allowed, but not member of the group
     $NotGroupMember = ($Difference | where {$_.SideIndicator -eq "=>"}).InputObject
  
    #User is member of the group, but not allowed
     $NotAllowedMember = ($Difference | where {$_.SideIndicator -eq "<="}).InputObject
  
    #Build mail
     $Mail = "
			 User is not allowed to be member of the group $ADGroup :
			 $NotAllowedMember

			 User is allowed to be member of the group $ADGroup, but isn't member:
			 $NotGroupMember
			 "
	
	#Send mail
	 Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Body $Mail -BodyAsHtml -Subject $Subject
 }

The script was then simply started every hour as a task. Perhaps someone can do something with it and use / modify it for themselves. Of course, this is no substitute for proper auditing, this is simply a short email if the members of a group no longer fit. The mail will look something like this:

Active Directory Group

3 thoughts on “Quick & Dirty: Active Directory Gruppe auf Mitglieder überwachen”

  1. Danke für das Skript. Genau so etwas habe ich gesucht. Hier noch eine kleine Verbesserung:

    Send-MailMessage -SmtpServer $SmtpServer -From $From -To $To -Body $Mail -BodyAsHtml -Subject $Subject -Encoding ([System.Text.Encoding]::UTF8)

    Dann klappt es auch mit den Umlauten.

    Reply

  2. Danke, echt nützlich.
    Ich möchte nicht wissen, wie viele Unternehmen externe Dienstleister dauernd in der Gruppe Domain-Admins halten, obwohl das gar nicht nötig ist. (zumindest nicht dauernd).
    Lg
    P

    Reply

  3. Hi Frank,

    habs grad ausprobiert und er meldet mir etwas falsches per Mail.
    Beispiel: Bei „AllowedMembers“ habe ich „UserX“ eingetragen – dieser ist aktuell auch das einzige Mitglied der Gruppe „Group123“.
    Ich füge nun „UserY“ zur Gruppe zusätzlich dazu und lasse das Script laufen.

    Ich bekomme eine Mail mit folgendem Inhalt:
    „User is not allowed to be member of the group Group123 : UserY User is allowed to be member of the group Group123, but isn’t member: „

    Reply

Leave a Comment