Monitoring Domain Group Membership Changes

I encountered a scenario at work where I had to monitor any changes performed on an account’s active directory membership groups on a daily/weekly basis. I believe there may be some out-of-box-experience solutions for this; however, I was recently moved into a new environment and I felt the quickest way to achieve this was through Powershell.

The script’s logic works around two text files, the first text file has a dump of all the group memberships at a certain time period, let’s say at the beginning of the month. The second file is a dump of all group memberships at the time of the script’s execution – the script works by comparing the newly created dump file of group memberships with the older dump file and displaying the differences if any. Since the second file is generated each time the script is executed, the script will also delete it upon exit, allowing for a clean slate for the next execution of the script. Lastly, the script will also email the results to you via SMTP protocol for a close to real-time notification.

I then set this script to run within a Windows Scheduled Task on a daily basis so that each day I would receive an email of any changes to the domain account.

Also, please keep in mind that in order to use the Get-ADUser cmdlet, you need to do Import-Module ActiveDirectory. If you try to Import-Module ActiveDirectory and it fails then you may need to enable theĀ “Active Directory Module for Windows PowerShell” under Remote Server Administration Tools in Add/Remove Windows Features within your Control Panel. There are a handful of internet blogs that explain this step.

Here are some snippets of the script’s execution:

The script found no differences between the two files.

The script found differences in the two files, note that if there are differences, they are only shown in the email sent.

Here the first file was not found and the script prompted the user to create it. After it was created, the script went on to check the differences if any.


Leave a Reply

Be the First to Comment!

Notify of