Get the output of a command into a string

Question

Hi,

I'm new to Powershell and trying to automate some simple tasks.
So basically I need to create a script to check for newly added users on my AD for the last x days (this is already done), and then check each of those new users if they are added on priviledged groups, like Domain Admins, Enterprise Admins or Schema Admins, and raise a warning if any of those new users are on those groups.

I have the first part to check for new added users created and outputting to terminal, but now I need input those SamAccountName's into a variable so then I can use that variable to check for each user groups. How can I do that?

Or is there any other easier approach?

Thanks

Answer 1

"Console output" is pointless in a scheduled task.

$privilegedgroupnames = 'Domain Admins', 'Schema Admins', 'Administrators', 'Group Policy Creator Owners'
Write-Host "Users created on the last 30 days!" | Out-String
$When = (Get-Date).Date.AddDays(-30)
$Alerts =   Get-ADUser -Filter { whenCreated -ge $When } -Properties whenCreated |
                ForEach-Object {
                    $user = $_.UserPrincipalName
                    Get-ADPrincipalGroupMembership $.distinguishedName |
                        ForEach-Object {
                            if ($privilegedgroupnames -contains $_.name) {
                                [PSCustomObject]@{
                                    UserName = $user.samaccountname
                                    PrivilegedGroup = $_.name
                                }
                        }
                    }
                }
if ($Alerts){
$body = @"
These users have been found in privileged groups:
$($Alerts | Out-String)
"@
    Send-MailMessage -To '******@yourcomain.tld' -From "******@yourdomain.tld" -SmtpServer your.emial.server.yourdomain.tld
}

Answer 2

Hello,

I believe creating AD user is not daily task.
You can use below simple PowerShell to get users created in AD from last 30 Days and redirect its output to csv ,
then you can scheduled to run from Task scheduler at specified time

---

$When = ((Get-Date).AddDays(-30)).Date
Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated | FT Name, whenCreated -Autosize

---

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

Hi,

Thanks for your reply.
Well, in a big structure, creating AD users happens more or less daily :)

Anyway, the script for checking the AD users created on the last x days it's already done. Now what I need is the next step, which is to check for each new user, if they are part of privileged groups, like Domain Admins.

For example, let's imagine that on the last 7 days, the following users where created:
Name WhenCreated

---

User 01 17/09/2021 16:36:59
User 01 20/09/2021 10:02:27
User 03 20/09/2021 14:53:57
User 04 20/09/2021 15:46:31

What I need next is that I can use the command "Get-ADPrincipalGroupMembership" for each user and check if on the results shows they are part of "Domain Admins" for example.

Thanks

Answer 4

Something like this might be starting point:

$privilegedgroupnames = 'Domain Admins', 'Schema Admins', 'Administrators', 'Group Policy Creator Owners'

$When = (Get-Date).Date.AddDays(-30)
Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated | 
    ForEach-Object{
        Get-ADPrincipalGroupMembership $_.distinguishedName |
            ForEach-Object {
                if ($privilegedgroupnames -contains $_.name){
                    # do something here
                }
            }
    }

Answer 5

@Rich Matheisen

Thanks, that was what I was looking for.
Just a minor issue here. For example, if I replace the # do something here area for:
Write-Output $.name
I got 2 results, which I know are from 1 user. But if I also write the command: Write-Output $.UserPrincipalName on the same area, it doesn't write on the console the UPN so I can know which user is Domain Admin for example.

What I'm looking for is to get something like:
User 1 - Domain Admin
User 1 - Administrators
User 2 - Domain Admin
......

So then I can ship this information by email to myself and to another user.

Thanks