Update The most recent update is available on Github

I found some time to update the script Monitor Active Directory Membership changes. This is now the version 1.6.

As a reminder, this script allows you to monitor Active Directory groups membership changes. It will send you a report via email only when a change occur. I explained in details in my last post how the script work.

See also my previous blogposts:

1.6 Changes

Support for Organization Unit path(s) SearchRoot parameter You can know specify a Distinguished Name (DN) or a Canonical Name where all the groups you want to monitor are located. SearchScope parameter Base : Limits the search to the base (SearchRoot) object.The result contains a maximum of one object. OneLevel : Searches the immediate child objects of the base (SearchRoot) object, excluding the base object. Subtree : Searches the whole sub-tree, including the base (SearchRoot) object and all its child objects. GroupScope parameter Specify the group scope of groups you want to find. Acceptable values are : Global Universal DomainLocal GroupType parameter Specify the group type of groups you want to find. Acceptable values are: Security Distribution

Support for File(s) Input Specify the File where the Group are listed. DN, SID, GUID, or Domain\Name of the group are accepted

Update of the ParameterSetNames Group Organization Unit List

Change History files changes In the previous version, a file was generate for each change of each group, I decided to use only one file per group for the change history. The script will just append the new information to it. Membership and Changes History files changes ADD Properties DisplayName and the DateTime

Reporting changes ADD Additional information on the Group ADD Title include the DOMAIN\GroupName [MailAddress] type which is available in PowerShell v3.0 has been removed on the parameter $Emailto and $EmailFrom to allow support on PowerShell 2.0. This is actually replaced by aRegular Expression validation

… and some more minors other changes…

Note: Unfortunately, if you were already using the script, this update won’t work with the old ChangeHistory.csv files (So you will need to archives the old ones in another directory). I added some properties and decided to keep only one file per group to track the change history, these changes are not compatible with the old files (previous to version 1.6)

Requirements

PowerShell v3.0

PowerShell Snapin from Quest : ActiveRoles Management Shell for Active Directory

A Scheduled Task to run every X minutes

Permission to Read Group(s) Membership in AD

Permission to write CSV files locally

EmailTo and EmailFrom must have an Email Format (Regex validation). [email protected] won’t work

Report Example

Here is a quick example of report generated by the script.

Changes:

Email Subject contains the DOMAIN\GROUPNAME

Add some Information about the group

Columns in Membership Change and Change History now matche

New Columns DisplayName and DateTime

Using the script

In the following example I’m playing with two test groups: FXGROUP01 and FXGROUP02

For my test, I placed the script in the directory C:\LazyWinAdmin\Tool-Monitor-AD_Groups

Running the script the first time

You will notice that the script is creating folders and files. At this point you won’t get any email report.

VERBOSE: Creating the Output Folder : C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\Output VERBOSE: Creating the ChangeHistory Folder : C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\ChangeHistory VERBOSE: GROUP: FXGroup01 VERBOSE: FXGroup01 - The following file did not exist: FX_FXGROUP01-membership.csv VERBOSE: FXGroup01 - Exporting the current membership information into the file: FX_FXGROUP01-membership.csv VERBOSE: FXGroup01 - Comparing Current and Before VERBOSE: FXGroup01 - Compare Block Done ! VERBOSE: FXGroup01 - No Change VERBOSE: GROUP: FXGroup02 VERBOSE: FXGroup02 - The following file did not exist: FX_FXGROUP02-membership.csv VERBOSE: FXGroup02 - Exporting the current membership information into the file: FX_FXGROUP02-membership.csv VERBOSE: FXGroup02 - Comparing Current and Before VERBOSE: FXGroup02 - Compare Block Done ! VERBOSE: FXGroup02 - No Change VERBOSE: Script Completed

Two directories and two files are created:

2 FilesFor each of the groupwe just queried FXGROUP01 and FXGROUP02 . Since these groups are currently empty, the script will add the value “No User or Group” in both files.

and . Since these groups are currently empty, the script will add the value “No User or Group” in both files. *OUTPUT Directory *Each time the script run, It query the group membership in the Active Directory and save the current membership in the files (It won’t touch the file if it’s the same membership at each check).

CHANGEHISTORY Directory contains the list of changes observed by the script. One file per Group per domain, if multiple changes occur, the script will append the change in the same file. Output Directorycontains the 2 files for each monitored groups

Each file contains the current membership of each groups. Since these are empty the script just create the following file with two properties* SamAccountName* and Name with the value “No User or Group”

The ChangeHistory Directory is empty at this point since no change was observed by the script.

Running the script a second time (without change on the groups)

If I re-run the script we will get the following output. The script does not see any change in the membership by comparing the content of the file FX_FXGROUP01-membership.csv and the current membership in Active Directory for this group.

Running the script after a change

Ok now let’s make one change and add one account in FXGROUP01 and run the script again.

VERBOSE: GROUP: FXGroup01 VERBOSE: FXGroup01 - The following file Exists: FX_FXGROUP01-membership.csv VERBOSE: FXGroup01 - Comparing Current and Before VERBOSE: FXGroup01 - Compare Block Done ! VERBOSE: FXGroup01 - Some changes found DateTime : 20131118-08:51:10 State : Removed DisplayName : SamAccountName : No User or Group DN : DateTime : 20131118-08:51:10 State : Added DisplayName : SamAccountName : fxtest DN : CN=fxtest,CN=Users,DC=FX,DC=LAB VERBOSE: FXGroup01 - Get the change history for this group VERBOSE: FXGroup01 - Change history files: 0 VERBOSE: FXGroup01 - Save changes to a ChangesHistory file VERBOSE: FXGroup01 - Preparing the notification email... VERBOSE: FXGroup01 - Email Sent. VERBOSE: FXGroup01 - Exporting the current membership to FX_FXGROUP01-membership.csv VERBOSE: GROUP: FXGroup02 VERBOSE: FXGroup02 - The following file Exists: FX_FXGROUP02-membership.csv VERBOSE: FXGroup02 - Comparing Current and Before VERBOSE: FXGroup02 - Compare Block Done ! VERBOSE: FXGroup02 - No Change VERBOSE: Script Completed

As you can see One account was added “fxtest” and the default “No User or Group” was removed by the script

Let’s make another change to this group, add another user.

VERBOSE: GROUP: FXGroup01 VERBOSE: FXGroup01 - The following file Exists: FX_FXGROUP01-membership.csv VERBOSE: FXGroup01 - Comparing Current and Before VERBOSE: FXGroup01 - Compare Block Done ! VERBOSE: FXGroup01 - Some changes found DateTime : 20131118-09:02:49 State : Added DisplayName : SamAccountName : AnneD DN : CN=AnneD,CN=Users,DC=FX,DC=LAB VERBOSE: FXGroup01 - Get the change history for this group VERBOSE: FXGroup01 - Change history files: 1 VERBOSE: FXGroup01 - Change history files - Loading C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\ChangeHistory\FX_FXGROUP01-ChangeHistory.csv VERBOSE: FXGroup01 - Change history process completed VERBOSE: FXGroup01 - Save changes to a ChangesHistory file VERBOSE: FXGroup01 - Preparing the notification email... VERBOSE: FXGroup01 - Email Sent. VERBOSE: FXGroup01 - Exporting the current membership to FX_FXGROUP01-membership.csv VERBOSE: GROUP: FXGroup02 VERBOSE: FXGroup02 - The following file Exists: FX_FXGROUP02-membership.csv VERBOSE: FXGroup02 - Comparing Current and Before VERBOSE: FXGroup02 - Compare Block Done ! VERBOSE: FXGroup02 - No Change VERBOSE: Script Completed

Here is the report generated

Notice this time, the report contains a section called “Change History” so you’ll be able to know which previous changes were made.

Using the SearchRoot parameter (Organization Unit path)

VERBOSE: OU: FX.LAB/TEST/Groups VERBOSE: GROUP: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - The following file Exists: FX_FXGROUP01-membership.csv VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - Comparing Current and Before VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - Compare Block Done ! VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - No Change VERBOSE: GROUP: CN=FXGROUP02,OU=Groups,OU=TEST,DC=FX,DC=LAB VERBOSE: CN=FXGROUP02,OU=Groups,OU=TEST,DC=FX,DC=LAB - The following file Exists: FX_FXGROUP02-membership.csv VERBOSE: CN=FXGROUP02,OU=Groups,OU=TEST,DC=FX,DC=LAB - Comparing Current and Before VERBOSE: CN=FXGROUP02,OU=Groups,OU=TEST,DC=FX,DC=LAB - Compare Block Done ! VERBOSE: CN=FXGROUP02,OU=Groups,OU=TEST,DC=FX,DC=LAB - No Change VERBOSE: Script Completed

Using the File parameter

VERBOSE: Loading File: .\groupslist.txt VERBOSE: GROUP: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - The following file Exists: FX_FXGROUP01-membership.csv VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - Comparing Current and Before VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - Compare Block Done ! VERBOSE: CN=FXGROUP01,OU=Groups,OU=TEST,DC=FX,DC=LAB - No Change VERBOSE: GROUP: FXGROUP02 VERBOSE: FXGROUP02 - The following file Exists: FX_FXGROUP02-membership.csv VERBOSE: FXGROUP02 - Comparing Current and Before VERBOSE: FXGROUP02 - Compare Block Done ! VERBOSE: FXGROUP02 - No Change VERBOSE: Script Completed

Syntax

There are three different ParameterSetNames, so you will see three different SYNTAX.

Group

SearchRoot (Organization Unit path)

File

SYNTAX C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\TOOL-MONITOR-AD_Group.ps1 -Group <String[]> -Emailfrom <String> -Emailto <String[]> -EmailServer <String> [<CommonParameters>] C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\TOOL-MONITOR-AD_Group.ps1 -SearchRoot <String[]> [-SearchScope <String>] [-GroupScope <String>] [-GroupType <String>] -Emailfrom <String> -Emailto <String[]> -EmailServer <String> [<CommonParameters>] C:\LazyWinAdmin\TOOL-MONITOR-AD_Group\TOOL-MONITOR-AD_Group.ps1 -File <String[]> -Emailfrom <String> -Emailto <String[]> -EmailServer <String> [<CommonParameters>]

Help

Download