Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Monday, July 14, 2014

Report on Group Membership for Sensitive Groups

Here's another script I have that runs weekly, and gives me a run-down on accounts that have membership to sensitive groups in Active Directory. I used Quest's Activeroles Powershell plugin for this. Quest is now owned by Dell, and you can find the plugin here.

I recommend that you run this to identify accounts that may have more access than you'd prefer. If you just add someone to a group temporarily, this can help save you from forgetting that they're a member (long term).

This covers #20 in my list of scheduled reports. Which I highly suggest that you check out...

#-------------------BEGIN SCRIPT---------------------------

#Add the snapin
add-pssnapin Quest.ActiveRoles.ADManagement

Specify a temp file
$TempFile = "c:\temp\GroupAudit.txt"

#Here we list the groups that we'd like to display members for
$Groups = `
"DOMAIN\Administrators",
"DOMAIN\DnsAdmins",
"DOMAIN\Domain Admins",
"DOMAIN\Enterprise Admins",
"DOMAIN\Exchange Admins",
"DOMAIN\Schema Admins"

#For each group, add a header, then output the members of the group. Pipe everything to the temp file
Foreach ($Group in $Groups){
$Header = "`r`nThe current members of the $group group are:"
$Header | Add-Content $TempFile
get-qadgroup $Group | get-qadgroupmember | add-content $TempFile
} #End Foreach

#Get the content of the temp file to form the body of the email
$body = (get-content $TempFile | out-string)

#Specify Email variables
$From = "helpdesk@DOMAIN.org"
$Subject = "PS Report - Sensitive AD Group Memberships"
$To = "me@DOMAIN.org"
$SMTPServer = "smtpserver.DOMAIN.org

#Send the email
Send-MailMessage -To $To -Subject $Subject -Body $body -From $From -SmtpServer $SMTPServer

#Delete the temp file
Remove-Item $TempFile

#-------------------END SCRIPT---------------------------

No comments:

Post a Comment