Share via


Monitoring Groups with PowerShell

A good friend will ask me, "Quick" sketch script to monitor changes in group membership in Active Directory.

It turned out crooked, but it is functional. The logic of the script is simple:

  • Create a text file on the group names on the first run.
  • Next time you start comparing the current state so that there is in the old files.
  • If necessary, write the report file.
  • Remove the old file, and create a new record in a group.

Note: As the "grinding" will make changes.

# Add the snapin for Quest

Add-PSSnapin Quest.ActiveRoles.ADManagement

 

# set date format

$currentDate = Get-Date -format M.d.yyyy

 

# specify the correct path and file

$reportFolder = "D:\Scripts\Powershell\GroupCheck\

$report = "D:\Scripts\Powershell\($currentDate)_report.txt"

 

# collect information about groups

$groups = Get-QADGroup -SizeLimit 0

$PreviousDay = @{}

 

# compare function

function CompareResults ($query, $group) {

        foreach ($result in $query) {

                # the user added to the Group

                if ($result.SideIndicator -eq "=>") {

                        Write-Output "User added – $($result.InputObject.NTAccountName)"

                        "Group $($group). add user – $($result.InputObject.NTAccountName)" | Out-File -Append $report

                }

                # the user is removed from the Group

                if ($result.SideIndicator -eq "<=" ) {

                        Write-Output "User removed – $($result.InputObject)"

                        "Group $($group). remove user – $($result.InputObject)" | Out-File -Append $report

                }

        }

}

 

foreach ($group in $Groups) {

        $fileName = $reportFolder + $group + ".txt"

        if (!(Test-Path $fileName)) {

                New-Item $fileName -ItemType file -Force

        }

        $PreviousDay[$group] = Get-Content $fileName

 

        $MemberList = Get-QADGroupMember $group -SizeLimit 0

        $PreviousList = Get-Content $fileName

      

 if (($MemberList -ne $null) -and ($PreviousList -eq $null)) {

                foreach ($user in $MemberList) {

                        Write-Output "$($group): Add user – $($user.NTAccountName)"

                }

        } elseif (($MemberList -eq $null) -and ($PreviousList -ne $null)) {

                foreach ($user in $PreviousList) {

                        Write-Output "$($group): Remove user – $user"

                }

        } elseif (($MemberList -ne $null) -and ($PreviousList -ne $null)) {

                # analysis group

                Write-Output "Check group – $($group)"

                $DiffResult = diff -ReferenceObject $PreviousList -DifferenceObject $MemberList

                CompareResults $DiffResult $group

        } else {

                # empty group

                Write-Output "Group $group – has no members"

        }

        $MemberList | Select-Object -Expand NTAccountName | Out-File $fileName

}

 

Source Link