Active Directory group membership audit

Georgi Geshev 1 Reputation point


We have different user types: i.e. agent, team lead, QA, trainer etc.
Each of those is supposed to have certain AD group membership as a baseline:
Agent - group: A, B, C, D, E
Team Lead: F, G, H, X, Y, Z

The issue is that some agents are being transferred from one project to a different one and no group memberships are remove, they're just adding.

The question is if there is a way (i.e. by powershell) or a tool to audit these (not one by one) - check current group membership against a baseline?

Thanks in advance!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,075 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,461 Reputation points


    I would like to suggest you to have a look on below powershell script which will list of users member of those groups.

    after that you can do some excel filtering to Audit the group memberships as per base line.

    groups = "MYGroup1", "MYGroup2", "MYGroup3","MYGroup4"
    $results = foreach ($group in $groups) {
        Get-ADGroupMember $group | select samaccountname, name, @{n='GroupName';e={$group}}, @{n='Description';e={(Get-ADGroup $group -Properties description).description}}
    $results | Export-csv C:\Temp\MYGroupMemberShip.txt -NoTypeInformation

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    0 comments No comments