Active Directory group membership modifications report

Based on customer needs Ive created a Windows PowerShell script to report Active Directory group membership modifications. The script are uploaded to PoshCode and available from here.

In Windows 2000 Server and Windows Server 2003, the following security event IDs were valid for group membership changes:

Scope Member added Member removed
Local 636 637
Global 632 633
Universal 660 661

In Windows Server 2008 and Windows Server 2008 R2 the security event IDs changed:

Scope Member added Member removed
Local 4732 4733
Global 4728 4729
Universal 4756 4757

Source for 2000/2003 event IDs.
Source for 2008/2008 R2 event IDs.

Group membership auditing are enabled by default from Windows 2000 Server to Windows Server 2008 R2, so there are no need change any auditing settings to accomplish this.
I
ve added event IDs for both 2000/2003 and 2008/2008 R2 to the script to cover all event IDs currently available.
Group membership changes are logged to the Security eventlog on the domain controller the modification was run against. Because of this the script are set up to get all domain controllers in the current domain and loop through the security eventlog on each of them, searching for the relevant event IDs described in the table above.

The script are based on Alan Renoufs Daily Report script for PowerCLI.

The “isWithin”-function are taken from Jeffrey Snover`s blog-post regarding DateTime Utility Functions.

Preview of the HTML-report the script will generate:

image

A tip would be to run the script as a scheduled task e.g. once a day, and store the file in a central location.

For those of you interested in Active Directory auditing I would recommend you to have a look at the AD DS Auditing Step-by-Step Guide on Microsoft TechNet.
Personally I think the new “directory service changes” category are very useful, which allows us to see both the old and new values on modified Active Directory user objects.

9 thoughts on “Active Directory group membership modifications report

    • Hi,

      Unfortunately Im having some problems with the PoshCode.org uploading (http://powershellcommunity.org/tabid/54/afv/topic/aff/9/aft/4304/Default.aspx).

      Until the problem is resolved the script are available from this link:
      http://80.203.207.194/temp/Get-ADGroupModificationsReport.txt

      Ive also updated the link in the blog-post.

      –Jan Egil–

  1. Pingback: OldCmp Active Directory Reporting Tool

  2. Jan,
    A useful reporting script, just the sort of thing I was looking for and saved me a lot of work re-inventing the wheel! :)

    I was looking at it and it can be made more efficient if you assign the ‘get-eventlog’ to a variable and query that each time rather than using ‘get-eventlog’ three times.

    From line 161 …
    foreach ($domaincontroller in $domaincontrollers){
    $x = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -After ((Get-Date).AddDays(-1))

    This will find all event logs in the last day using the ‘-After’ option of hte Get-EvenLog cmdlet.

    You can then use this variable to find the events you are after, not needing the isWithin function as we have the timeframe already defined …

    $MyReport += Get-HTMLTable ($x | Where-Object {$_.EventID -eq “636” -or $_.EventID -eq “4732”} | select TimeGenerated,Message )

    By doing this, we only run ‘Get-Evenlog’ once against each DC instead of 6 times and so the job is much quicker.

    I hope you find this helpful :)

  3. Pingback: OldCmp Active Directory Reporting Tool

  4. I’m not adept at scripting— I use the freeware version of NetWrix active directory change reporter which sends automated reports detailing all modifications made to AD, including changes made to group memberships.