We help IT Professionals succeed at work.

How to effectively Audit Active Directory groups?

rwskas
rwskas asked
on
We have some 4-5000 groups in our Active Directory environment. We would like to setup a quartly review process to ensure that the people within these groups still indeed need that access (This is a IT Security driven project). Any advice on how to tackle this?
1) our first hurdle is to identiy owners for each group.
Any recommendations? Right now are thoughts are to have a standard string that we can search with a script in the description field, and parse out a username from it.

2) Once we have a standard and automatic process for identifing the owner, how do we go about getting the relevant information (Group name and users in the group) to the owners for review? Right now we are thinking a PowerShell script could perform this function for, grab the group name, the members, identify the owner, compile a spreadsheet, and then email the spreadsheet to the owner.

Thoughts? Advice?
Comment
Watch Question

Chris DentPowerShell Developer
Top Expert 2010

Commented:

1. The groups ManagedBy field would, to me, seem to be most appropriate? The field does not grant any special rights over the group unless you explicitly tell it the manager can modify membership.

2. That is entirely possible. Would you do it with or without the Quest AD CmdLets? They would make it easier, but it's entirely possible without.

The system running the script would need Excel installed, although it may be possible to find a .NET library that can create Excel spreadsheets without Excel (otherwise we have to use the Excel.Application COM object).

As a rough start, we could run:


Get-QADGroup -LdapFilter "(managedBy=*)" | ForEach-Object {

  # Get the members of the group
  $Members = Get-QADGroupMember $_.DN

  # Build the report, or section of a report

  # E-mail here, as a per-group report, or e-mail later with all groups for that manager
  # Using: Send-MailMessage
}


Chris

Author

Commented:
Perfect, how could I forget about the Managed By field! That is exactly what we need to populate.

Powershell we are using is limited to V1, and we will likely stay away from QAD to keep the script as portable as possible.
I do already have a function for emails so that is non issue.
PowerShell Developer
Top Expert 2010
Commented:

Fair enough :)

This version only uses things available to native PowerShell 1 (although syntax will need testing for compatibility with 1).

Property handling is extremely basic at the moment, it's only accounting for single-value properties, and only very simple ones there.

Chris
Function Get-DsObject
{
  Param(
    [ADSI]$SearchRoot,
    [String]$LdapFilter = "(objectClass=*)",
    [String[]]$Properties = @("name", "displayName", "distinguishedName")
  )

  $Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $LdapFilter)
  $Searcher.PageSize = 1000

  $Searcher.PropertiesToLoad.AddRange($Properties)

  $Searcher.FindAll() | %{
    $Object = New-Object Object

    $PropertyValues = $_.Properties
    $Properties | %{
      If (!($PropertyValues[$_.ToLower()] -eq $Null)) {
        Add-Member NoteProperty $_ -Value $PropertyValues[$_.ToLower()][0] -InputObject $Object
      } Else {
        Add-Member NoteProperty $_ -Value "" -InputObject $Object
      }
    }
    $Object
  }
}

Get-DsObject -LdapFilter "(managedBy=*)" | ForEach-Object {

  # Get the members of this group
  $Members = Get-DsObject -LdapFilter "(memberOf=$($_.DistinguishedName))"

  # Build the report, or section of a report

  # E-mail here, as a per-group report, or e-mail later with all groups for that manager
  # Using: Send-MailMessage
}

Open in new window