This article will walk you through how to audit Active Directory Group memberships with PowerShell and Auditing Services.
When auditing group memberships, it is important to remember that not every member of the group needs to be in the monitoring scope. Instead, only certain groups need a person added or removed from their membership list for that particular use case.
The cmdlet below will help you audit who belongs where: Get-ADGroupMember -Filter * -Property ObjectClassName | Select DistinguishedName
The “audit active directory changes with powershell” is a tutorial that will teach you how to audit Active Directory group memberships with PowerShell.
Active Directory updates are frequent, particularly as an organization becomes larger. Active Directory is a crucial component of every business, and it’s essential to make sure the proper people are in the right groups. Fortunately, you’ve found the ideal spot to track Active Directory group membership changes.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
You’ll learn how to detect changes in group membership in Active Directory in this article. You’ll do so by creating an audit policy and searching the Windows event log using PowerShell.
Let’s get this party started!
Prerequisites
This essay will provide a practical guide. If you want to follow along, make sure you have these items:
- This article will utilize Windows Server 2019, however domain controllers (DCs) running Windows 2008 R2 or later should function as well. The lesson will use the domain test.local, which will have two DCs, DC01 and DC02.
- PowerShell installed on a domain-joined Windows PC. Windows 10 and Windows PowerShell 5.1 will be used in this lesson.
- To modify groups on an Active Directory user account. This tutorial will utilize the User1 user account.
- A domain user account that belongs to the Domain Admins group.
Creating and Implementing an Audit Policy
To audit changes to group membership in Active Directory, you must first make sure they are documented. Many essential events are not captured in the event log by default. You must set an audit policy to notify Windows to save crucial Active Directory group membership changes.
What is a Group Policy, and How Does It Work? (In depth)
By default, Windows and other services do not record some events to the Windows event log, therefore an audit policy establishes a set of rules that directs them to. You must then assign the audit policy to target computers using Group Policy after it has been generated (domain controllers in this case).
Let’s begin by setting up an audit policy that forces Windows to report key group membership changes in the Windows event log.
You must first build a Group Policy Object (GPO) and then specify the audit policy inside the GPO.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. In the Group Policy Management Console (GPMC), establish a new GPO and link it to the Domain Controllers’ organizational unit (OU), naming it Audit Group Membership Changes.
2. Open the GPO and expand Computer Configuration —> Windows Settings —> Advanced Audit Policy Configuration —> Audit Policies.
As you can see below, clicking on each category, such as Account Logon, DS Access, and System, brings up more specific categories on the righthand pane.
The Road to Policy Audits
3. In the left window, choose Account Management, and in the right window, select the Audit Security Group Management subcategory.
4. Turn on the Configure the audit events listed below: Success and Failure boxes When this audit policy is applied to a system, all attempts to edit groups are logged. It will also keep track of all successful and failed efforts, such as when a user tries to make a modification but lacks authorization.
Group Membership Auditing
5. Close the GPO by clicking OK in the Audit Security Group Management Properties box. You now have a GPO with an audit policy set up and ready to use!
The Active Directory Domain Controllers OU should be connected to the GPO. As a consequence, anytime you make a change to the GPO, each DC in that OU should adopt it during their normal group policy refresh process.
Group Membership Auditing Change Events with the Event Viewer for Windows
Let’s make a modification and test the audit policy now that you’ve developed it and tied it to the Domain Controllers OU.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. Go to Active Directory Users and Computers (ADUC) and create any test user account. This tutorial will utilize the User1 account.
2. Select MemberOf from the drop-down menu. Each group to which the user belongs is listed here. To add the user to the Enterprise Admins group, click Add and enter Enterprise Admins, then OK.
User1 has been added to the Enterprise Admins Group.
3. Go to Event Viewer for Windows, expand Windows Logs, and choose the Security situation log.
Event Viewer for Windows
Windows should have logged an event with the ID of 4756 in the events pane.
Security situation
When modifying an Active Directory group, you will see one of three different events logged in the Security situation log depending on the type of group modified; 4728 for a global group, 4732 for a domain-local group, and 4756 for a universal group.
4. Open the event with ID 4756 to view all of the information Windows has about this specific group membership change event.
- The user who made the modification is the subject. This displays the name of your logged-in user account.
- The user who was impacted by the modification is referred to as a member. User1 is my name.
- The group to which the person has been added. This is the group of Enterprise Admins.
Changes in group membership are tracked by Event ID 4756.
Group Membership Auditing Change Events with PowerShell
Now that your domain controllers are logging, group membership change events to the Windows event log, you don’t just have to use the Event Viewer for Windows. You can use PowerShell too!
Are you new to using PowerShell and the Windows event log? At PowerShellcenter.com, you may learn the fundamentals of PowerShell and Windows Event Log.
If you’re still on the DC’s desktop, do the following:
1. Run PowerShell in Windows.
2. Run the Get-WinEvent cmdlet to query the Security situation log looking for all events with the ID of 4756, as shown below. This command will return all group membership change events for universal groups.
For global groups, change the ID value to 4728; for domain-local groups, change it to 4732.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable
FilterHashtable is a hashtable that takes key-value pairs as input, such as @Key1=’Value1′ ; Key2=’Value2′.
Querying Windows Event Logs using PowerShell is related to Get-EventLog.
3. If you don’t want to observe updates to all Active Directory groups, use the Where-Object cmdlet to restrict the result by searching for the string Enterprise Admins in the Message property, as shown below.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable | Where-Object {$_.Message -like “Enterprise Admins”} | Format-Table -AutoSize -Wrap
All events when the Enterprise Admins group membership has changed will be returned by PowerShell.
Examining Security Logs for Enterprise Admins
Active Directory Administrative Groups are being monitored.
You learnt how to audit group membership changes in Active Directory for a single group in the previous section. Why not monitor all built-in groups in Active Directory now that it went so well?
Identifying Active Directory Default (Administrative) Groups
Administrative groups are included with Active Directory. Any user within these groups may be given privileged rights. Let’s start by determining how to locate all of these administrative groupings.
To locate these administrative groupings, you must first determine what they have in common. Their security identification has a pattern that they share (SID). Each Active Directory item has its own security identification (SID). When Windows refers to objects, it utilizes the SID rather than the group name.
The Relevant Identifier is a SID for all Active Directory administrative security groups that always ends in less than 1000. (RID). You write some PowerShell code to locate them knowing this.
Assuming that PowerShell is still running on the domain controller:
1. Use the Get-ADGroup command to get just the SID of the group, as shown below.
How to Use PowerShell to Manage AD Groups
(‘Enterprise Admins’) Get-ADGroup SID
The SID is split into two components in the screenshot below: the domain SID and the RID.
Obtaining the SID of the Group
All objects in the same domain have the same domain SID; only the RID changes.
2. Now, using the same command, search for all groups having a RID of 1000 or less to get a complete list of Active Directory administrative groups.
## Locate the domain SID to use in the $LocalDomain= filter (Get-ADDomain). Search for all AD groups using DomainSID, making sure the objectSID property is returned. ## Then, using the SID that ends in a dash and three digits, filter the results. Get-ADGroup -Properties objectSid -Filter * |where (
Active Directory updates are frequent, particularly as an organization becomes larger. Active Directory is a crucial component of every business, and it’s essential to make sure the proper people are in the right groups. Fortunately, you’ve found the ideal spot to track Active Directory group membership changes.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
You’ll learn how to detect changes in group membership in Active Directory in this article. You’ll do so by creating an audit policy and searching the Windows event log using PowerShell.
Let’s get this party started!
Prerequisites
This essay will provide a practical guide. If you want to follow along, make sure you have these items:
- This article will utilize Windows Server 2019, however domain controllers (DCs) running Windows 2008 R2 or later should function as well. The lesson will use the domain test.local, which will have two DCs, DC01 and DC02.
- PowerShell installed on a domain-joined Windows PC. Windows 10 and Windows PowerShell 5.1 will be used in this lesson.
- To modify groups on an Active Directory user account. This tutorial will utilize the User1 user account.
- A domain user account that belongs to the Domain Admins group.
Creating and Implementing an Audit Policy
To audit changes to group membership in Active Directory, you must first make sure they are documented. Many essential events are not captured in the event log by default. You must set an audit policy to notify Windows to save crucial Active Directory group membership changes.
What is a Group Policy, and How Does It Work? (In depth)
By default, Windows and other services do not record some events to the Windows event log, therefore an audit policy establishes a set of rules that directs them to. You must then assign the audit policy to target computers using Group Policy after it has been generated (domain controllers in this case).
Let’s begin by setting up an audit policy that forces Windows to report key group membership changes in the Windows event log.
You must first build a Group Policy Object (GPO) and then specify the audit policy inside the GPO.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. In the Group Policy Management Console (GPMC), establish a new GPO and link it to the Domain Controllers’ organizational unit (OU), naming it Audit Group Membership Changes.
2. Open the GPO and expand Computer Configuration —> Windows Settings —> Advanced Audit Policy Configuration —> Audit Policies.
As you can see below, clicking on each category, such as Account Logon, DS Access, and System, brings up more specific categories on the righthand pane.
The Road to Policy Audits
3. In the left window, choose Account Management, and in the right window, select the Audit Security Group Management subcategory.
4. Turn on the Configure the audit events listed below: Success and Failure boxes When this audit policy is applied to a system, all attempts to edit groups are logged. It will also keep track of all successful and failed efforts, such as when a user tries to make a modification but lacks authorization.
Group Membership Auditing
5. Close the GPO by clicking OK in the Audit Security Group Management Properties box. You now have a GPO with an audit policy set up and ready to use!
The Active Directory Domain Controllers OU should be connected to the GPO. As a consequence, anytime you make a change to the GPO, each DC in that OU should adopt it during their normal group policy refresh process.
Group Membership Auditing Change Events with the Event Viewer for Windows
Let’s make a modification and test the audit policy now that you’ve developed it and tied it to the Domain Controllers OU.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. Go to Active Directory Users and Computers (ADUC) and create any test user account. This tutorial will utilize the User1 account.
2. Select MemberOf from the drop-down menu. Each group to which the user belongs is listed here. To add the user to the Enterprise Admins group, click Add and enter Enterprise Admins, then OK.
User1 has been added to the Enterprise Admins Group.
3. Go to Event Viewer for Windows, expand Windows Logs, and choose the Security situation log.
Event Viewer for Windows
Windows should have logged an event with the ID of 4756 in the events pane.
Security situation
When modifying an Active Directory group, you will see one of three different events logged in the Security situation log depending on the type of group modified; 4728 for a global group, 4732 for a domain-local group, and 4756 for a universal group.
4. Open the event with ID 4756 to view all of the information Windows has about this specific group membership change event.
- The user who made the modification is the subject. This displays the name of your logged-in user account.
- The user who was impacted by the modification is referred to as a member. User1 is my name.
- The group to which the person has been added. This is the group of Enterprise Admins.
Changes in group membership are tracked by Event ID 4756.
Group Membership Auditing Change Events with PowerShell
Now that your domain controllers are logging, group membership change events to the Windows event log, you don’t just have to use the Event Viewer for Windows. You can use PowerShell too!
Are you new to using PowerShell and the Windows event log? At PowerShellcenter.com, you may learn the fundamentals of PowerShell and Windows Event Log.
If you’re still on the DC’s desktop, do the following:
1. Run PowerShell in Windows.
2. Run the Get-WinEvent cmdlet to query the Security situation log looking for all events with the ID of 4756, as shown below. This command will return all group membership change events for universal groups.
For global groups, change the ID value to 4728; for domain-local groups, change it to 4732.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable
FilterHashtable is a hashtable that takes key-value pairs as input, such as @Key1=’Value1′ ; Key2=’Value2′.
Querying Windows Event Logs using PowerShell is related to Get-EventLog.
3. If you don’t want to observe updates to all Active Directory groups, use the Where-Object cmdlet to restrict the result by searching for the string Enterprise Admins in the Message property, as shown below.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable | Where-Object {$_.Message -like “Enterprise Admins”} | Format-Table -AutoSize -Wrap
All events when the Enterprise Admins group membership has changed will be returned by PowerShell.
Examining Security Logs for Enterprise Admins
Active Directory Administrative Groups are being monitored.
You learnt how to audit group membership changes in Active Directory for a single group in the previous section. Why not monitor all built-in groups in Active Directory now that it went so well?
Identifying Active Directory Default (Administrative) Groups
Administrative groups are included with Active Directory. Any user within these groups may be given privileged rights. Let’s start by determining how to locate all of these administrative groupings.
To locate these administrative groupings, you must first determine what they have in common. Their security identification has a pattern that they share (SID). Each Active Directory item has its own security identification (SID). When Windows refers to objects, it utilizes the SID rather than the group name.
The Relevant Identifier is a SID for all Active Directory administrative security groups that always ends in less than 1000. (RID). You write some PowerShell code to locate them knowing this.
Assuming that PowerShell is still running on the domain controller:
1. Use the Get-ADGroup command to get just the SID of the group, as shown below.
How to Use PowerShell to Manage AD Groups
(‘Enterprise Admins’) Get-ADGroup SID
The SID is split into two components in the screenshot below: the domain SID and the RID.
Obtaining the SID of the Group
All objects in the same domain have the same domain SID; only the RID changes.
2. Now, using the same command, search for all groups having a RID of 1000 or less to get a complete list of Active Directory administrative groups.
## Find the domain SID to use in the filter $LocalDomain=(Get-ADDomain).DomainSID ## Search for all AD groups ensuring the objectSID property is returned. ## Then filter the results based on the SID ending in a dash and three numbers. Get-ADGroup -Properties objectSid -Filter * |where {($_.ObjectSid.Value -match (“-d{3}$”)) -and ($_.Objectsid.value.length -gt $LocalDomain.Value.length)} | select name,Objectsid,GroupScope
Security Groups in Active Directory SID
Using PowerShell to Audit All Administrative Group Changes
You now have the PowerShell code to query the event log and the code to discover all administrative groups from the previous section. Let’s put them together to make a useful PowerShell utility.
Copy/paste the following script into your preferred code editor and save it. The code explanations are completely inline.
## Create an array to save all events [email protected]() ## Find the Domain SID to filter administrative groups $LocalDomain=(Get-addomain).domainsid ## Define the earliest event date to search from $dateFrom=(Get-Date).AddDays(-1) ## Find all of the AD administrative groups $ADAdminGroups=(Get-ADGroup -Properties objectSid -Filter * |where {($_.ObjectSid.Value -match (“-d{3}$”)) -and ($_.Objectsid.value.length -gt $LocalDomain.Value.length)}).Name ## Query the Security situation log for all events with IDs 4728, 4732 or 4756 ## that start from $dateFrom and end right now. $PossibleEvents= Get-WinEvent -FilterHashtable @{id=(4728,4732,4756) logname=”Security” StartTime=$dateFrom EndTime=(get-date)} ## Begin processing each Windows event found Foreach ($Events in $PossibleEvents) { ## Check if the event was for a membership change for an administrative group if ($ADAdminGroups | where {$Events.message -match $_}){ ## If so, add an object with the time of event and the details to the $EventResult array $Result=[pscustomObject]@{ Date=($foreach.current).TimeCreated Message=($foreach.current).message } $EventsResult+=$Result } } ## If any events found, send an email with the event as the body if ($EventsResult){ Send-MailMessage -From “[email protected]” -To “[email protected]” -Body ($EventsResult |Out-String) -SmtpServer Out.YourSMTPServer.com }
Substitute a genuine SMTP Server for the SMTPServer option. You may also need to login to the SMTP server if you’re using Office365.
How to Send Email with PowerShell and Office 365 Direct Send
This script is a typical way in many security systems and offers data on who altered what.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
Conclusion
You now know how to use PowerShell to audit group membership changes in Active Directory. What will you do with the script stated above? How can you make it better to assist your company audit Active Directory group membership changes?
.ObjectSid.Value -match (“-d3$”)) -and (
Active Directory updates are frequent, particularly as an organization becomes larger. Active Directory is a crucial component of every business, and it’s essential to make sure the proper people are in the right groups. Fortunately, you’ve found the ideal spot to track Active Directory group membership changes.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
You’ll learn how to detect changes in group membership in Active Directory in this article. You’ll do so by creating an audit policy and searching the Windows event log using PowerShell.
Let’s get this party started!
Prerequisites
This essay will provide a practical guide. If you want to follow along, make sure you have these items:
- This article will utilize Windows Server 2019, however domain controllers (DCs) running Windows 2008 R2 or later should function as well. The lesson will use the domain test.local, which will have two DCs, DC01 and DC02.
- PowerShell installed on a domain-joined Windows PC. Windows 10 and Windows PowerShell 5.1 will be used in this lesson.
- To modify groups on an Active Directory user account. This tutorial will utilize the User1 user account.
- A domain user account that belongs to the Domain Admins group.
Creating and Implementing an Audit Policy
To audit changes to group membership in Active Directory, you must first make sure they are documented. Many essential events are not captured in the event log by default. You must set an audit policy to notify Windows to save crucial Active Directory group membership changes.
What is a Group Policy, and How Does It Work? (In depth)
By default, Windows and other services do not record some events to the Windows event log, therefore an audit policy establishes a set of rules that directs them to. You must then assign the audit policy to target computers using Group Policy after it has been generated (domain controllers in this case).
Let’s begin by setting up an audit policy that forces Windows to report key group membership changes in the Windows event log.
You must first build a Group Policy Object (GPO) and then specify the audit policy inside the GPO.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. In the Group Policy Management Console (GPMC), establish a new GPO and link it to the Domain Controllers’ organizational unit (OU), naming it Audit Group Membership Changes.
2. Open the GPO and expand Computer Configuration —> Windows Settings —> Advanced Audit Policy Configuration —> Audit Policies.
As you can see below, clicking on each category, such as Account Logon, DS Access, and System, brings up more specific categories on the righthand pane.
The Road to Policy Audits
3. In the left window, choose Account Management, and in the right window, select the Audit Security Group Management subcategory.
4. Turn on the Configure the audit events listed below: Success and Failure boxes When this audit policy is applied to a system, all attempts to edit groups are logged. It will also keep track of all successful and failed efforts, such as when a user tries to make a modification but lacks authorization.
Group Membership Auditing
5. Close the GPO by clicking OK in the Audit Security Group Management Properties box. You now have a GPO with an audit policy set up and ready to use!
The Active Directory Domain Controllers OU should be connected to the GPO. As a consequence, anytime you make a change to the GPO, each DC in that OU should adopt it during their normal group policy refresh process.
Group Membership Auditing Change Events with the Event Viewer for Windows
Let’s make a modification and test the audit policy now that you’ve developed it and tied it to the Domain Controllers OU.
Install Windows Remote Administration Tools (RSAT) on any domain controller or domain-joined workstation.
1. Go to Active Directory Users and Computers (ADUC) and create any test user account. This tutorial will utilize the User1 account.
2. Select MemberOf from the drop-down menu. Each group to which the user belongs is listed here. To add the user to the Enterprise Admins group, click Add and enter Enterprise Admins, then OK.
User1 has been added to the Enterprise Admins Group.
3. Go to Event Viewer for Windows, expand Windows Logs, and choose the Security situation log.
Event Viewer for Windows
Windows should have logged an event with the ID of 4756 in the events pane.
Security situation
When modifying an Active Directory group, you will see one of three different events logged in the Security situation log depending on the type of group modified; 4728 for a global group, 4732 for a domain-local group, and 4756 for a universal group.
4. Open the event with ID 4756 to view all of the information Windows has about this specific group membership change event.
- The user who made the modification is the subject. This displays the name of your logged-in user account.
- The user who was impacted by the modification is referred to as a member. User1 is my name.
- The group to which the person has been added. This is the group of Enterprise Admins.
Changes in group membership are tracked by Event ID 4756.
Group Membership Auditing Change Events with PowerShell
Now that your domain controllers are logging, group membership change events to the Windows event log, you don’t just have to use the Event Viewer for Windows. You can use PowerShell too!
Are you new to using PowerShell and the Windows event log? At PowerShellcenter.com, you may learn the fundamentals of PowerShell and Windows Event Log.
If you’re still on the DC’s desktop, do the following:
1. Run PowerShell in Windows.
2. Run the Get-WinEvent cmdlet to query the Security situation log looking for all events with the ID of 4756, as shown below. This command will return all group membership change events for universal groups.
For global groups, change the ID value to 4728; for domain-local groups, change it to 4732.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable
FilterHashtable is a hashtable that takes key-value pairs as input, such as @Key1=’Value1′ ; Key2=’Value2′.
Querying Windows Event Logs using PowerShell is related to Get-EventLog.
3. If you don’t want to observe updates to all Active Directory groups, use the Where-Object cmdlet to restrict the result by searching for the string Enterprise Admins in the Message property, as shown below.
@ Logname=’Security’; ID=’4756′; Get-WinEvent -FilterHashtable | Where-Object {$_.Message -like “Enterprise Admins”} | Format-Table -AutoSize -Wrap
All events when the Enterprise Admins group membership has changed will be returned by PowerShell.
Examining Security Logs for Enterprise Admins
Active Directory Administrative Groups are being monitored.
You learnt how to audit group membership changes in Active Directory for a single group in the previous section. Why not monitor all built-in groups in Active Directory now that it went so well?
Identifying Active Directory Default (Administrative) Groups
Administrative groups are included with Active Directory. Any user within these groups may be given privileged rights. Let’s start by determining how to locate all of these administrative groupings.
To locate these administrative groupings, you must first determine what they have in common. Their security identification has a pattern that they share (SID). Each Active Directory item has its own security identification (SID). When Windows refers to objects, it utilizes the SID rather than the group name.
The Relevant Identifier is a SID for all Active Directory administrative security groups that always ends in less than 1000. (RID). You write some PowerShell code to locate them knowing this.
Assuming that PowerShell is still running on the domain controller:
1. Use the Get-ADGroup command to get just the SID of the group, as shown below.
How to Use PowerShell to Manage AD Groups
(‘Enterprise Admins’) Get-ADGroup SID
The SID is split into two components in the screenshot below: the domain SID and the RID.
Obtaining the SID of the Group
All objects in the same domain have the same domain SID; only the RID changes.
2. Now, using the same command, search for all groups having a RID of 1000 or less to get a complete list of Active Directory administrative groups.
## Find the domain SID to use in the filter $LocalDomain=(Get-ADDomain).DomainSID ## Search for all AD groups ensuring the objectSID property is returned. ## Then filter the results based on the SID ending in a dash and three numbers. Get-ADGroup -Properties objectSid -Filter * |where {($_.ObjectSid.Value -match (“-d{3}$”)) -and ($_.Objectsid.value.length -gt $LocalDomain.Value.length)} | select name,Objectsid,GroupScope
Security Groups in Active Directory SID
Using PowerShell to Audit All Administrative Group Changes
You now have the PowerShell code to query the event log and the code to discover all administrative groups from the previous section. Let’s put them together to make a useful PowerShell utility.
Copy/paste the following script into your preferred code editor and save it. The code explanations are completely inline.
## Create an array to save all events [email protected]() ## Find the Domain SID to filter administrative groups $LocalDomain=(Get-addomain).domainsid ## Define the earliest event date to search from $dateFrom=(Get-Date).AddDays(-1) ## Find all of the AD administrative groups $ADAdminGroups=(Get-ADGroup -Properties objectSid -Filter * |where {($_.ObjectSid.Value -match (“-d{3}$”)) -and ($_.Objectsid.value.length -gt $LocalDomain.Value.length)}).Name ## Query the Security situation log for all events with IDs 4728, 4732 or 4756 ## that start from $dateFrom and end right now. $PossibleEvents= Get-WinEvent -FilterHashtable @{id=(4728,4732,4756) logname=”Security” StartTime=$dateFrom EndTime=(get-date)} ## Begin processing each Windows event found Foreach ($Events in $PossibleEvents) { ## Check if the event was for a membership change for an administrative group if ($ADAdminGroups | where {$Events.message -match $_}){ ## If so, add an object with the time of event and the details to the $EventResult array $Result=[pscustomObject]@{ Date=($foreach.current).TimeCreated Message=($foreach.current).message } $EventsResult+=$Result } } ## If any events found, send an email with the event as the body if ($EventsResult){ Send-MailMessage -From “[email protected]” -To “[email protected]” -Body ($EventsResult |Out-String) -SmtpServer Out.YourSMTPServer.com }
Substitute a genuine SMTP Server for the SMTPServer option. You may also need to login to the SMTP server if you’re using Office365.
How to Send Email with PowerShell and Office 365 Direct Send
This script is a typical way in many security systems and offers data on who altered what.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
Conclusion
You now know how to use PowerShell to audit group membership changes in Active Directory. What will you do with the script stated above? How can you make it better to assist your company audit Active Directory group membership changes?
.Objectsid.value.length -gt $LocalDomain.Value.length)
Security Groups in Active Directory SID
Using PowerShell to Audit All Administrative Group Changes
You now have the PowerShell code to query the event log and the code to discover all administrative groups from the previous section. Let’s put them together to make a useful PowerShell utility.
Copy/paste the following script into your preferred code editor and save it. The code explanations are completely inline.
## Create an array to save all events [email protected]() ## Find the Domain SID to filter administrative groups $LocalDomain=(Get-addomain).domainsid ## Define the earliest event date to search from $dateFrom=(Get-Date).AddDays(-1) ## Find all of the AD administrative groups $ADAdminGroups=(Get-ADGroup -Properties objectSid -Filter * |where {($_.ObjectSid.Value -match (“-d{3}$”)) -and ($_.Objectsid.value.length -gt $LocalDomain.Value.length)}).Name ## Query the Security situation log for all events with IDs 4728, 4732 or 4756 ## that start from $dateFrom and end right now. $PossibleEvents= Get-WinEvent -FilterHashtable @{id=(4728,4732,4756) logname=”Security” StartTime=$dateFrom EndTime=(get-date)} ## Begin processing each Windows event found Foreach ($Events in $PossibleEvents) { ## Check if the event was for a membership change for an administrative group if ($ADAdminGroups | where {$Events.message -match $_}){ ## If so, add an object with the time of event and the details to the $EventResult array $Result=[pscustomObject]@{ Date=($foreach.current).TimeCreated Message=($foreach.current).message } $EventsResult+=$Result } } ## If any events found, send an email with the event as the body if ($EventsResult){ Send-MailMessage -From “[email protected]” -To “[email protected]” -Body ($EventsResult |Out-String) -SmtpServer Out.YourSMTPServer.com }
Substitute a genuine SMTP Server for the SMTPServer option. You may also need to login to the SMTP server if you’re using Office365.
How to Send Email with PowerShell and Office 365 Direct Send
This script is a typical way in many security systems and offers data on who altered what.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
Conclusion
You now know how to use PowerShell to audit group membership changes in Active Directory. What will you do with the script stated above? How can you make it better to assist your company audit Active Directory group membership changes?
The “audit ad group membership changes” is a PowerShell cmdlet that allows you to audit the memberships of Active Directory groups. This cmdlet can be used for auditing purposes or for compliance purposes.
Related Tags
- active directory group membership report
- powershell script audit group membership
- how to tell when a user was added to an active directory group
- audit group membership registry key
- active directory group membership change event id