none
Need a script to find new members added to a AD group

    Question

  • Dear all,

    I need some help. I need to run a script daily to to find new members added to a AD group daily. If possible the result could be send as an email to a designated email account. If not, exporting the results to a text file is good for me.

    Many, many thanks!

    Tuesday, December 11, 2012 7:48 AM

Answers

  • thanks, Daniel, for your quick reply! Unfortunately I need a script to monitor users added or removed daily in a security group. I've found some solutions and I am testing now.

    However I'll perfer vb script without the help of Quest CMDlets. Anyone able to help?

    http://www.windowsitpro.com/article/auditing/track-active-directory-changes

    vbs script; However it too complicated for me to comprehen, not a scripter by training

    http://gallery.technet.microsoft.com/scriptcenter/Monitor-Active-Directory-4c4e04c7

    powershell script and I am testing now...


    AD has auditing . Look it up in  help.  You can have the EL notify you when an audit item is triggered.  This is the best way to do this.

    ¯\_(ツ)_/¯

    Tuesday, December 11, 2012 12:56 PM
  • There is no way to tell when users are added to a group, unless you maintain a separate list of members and compare periodically to the actual group. Better would be to use AD auditing. See this link:

    http://technet.microsoft.com/en-us/library/cc737542(v=WS.10).aspx


    Richard Mueller - MVP Directory Services

    Tuesday, December 11, 2012 2:22 PM
    Moderator

All replies

  • Here quick and dirty for users last 30 Days created and send by email:

    $to = 'x@x.com'
    $from = 'b@B.com'
    $smtp = 'SMTP.xyz.com'
    $subject = 'users last 30 days'
    
    $u30 = Get-QADUser -SizeLimit 0 | ?{$_.whencreated -gt (Get-Date).addDays(-30)}
    $u30 | Export-Csv c:\TEMP\u30.csv -NoTypeInformation -Delimiter ";" -Encoding unicode
    $u30file = "c:\TEMP\u30.csv"
    Send-MailMessage -to $to -From $from -Attachments $u30file -SmtpServer $smtp -Subject $subject

    You just need the Quest CMD lets

    Regards
    Dan

    Tuesday, December 11, 2012 8:40 AM
  • thanks, Daniel, for your quick reply! Unfortunately I need a script to monitor users added or removed daily in a security group. I've found some solutions and I am testing now.

    However I'll perfer vb script without the help of Quest CMDlets. Anyone able to help?

    http://www.windowsitpro.com/article/auditing/track-active-directory-changes

    vbs script; However it too complicated for me to comprehen, not a scripter by training

    http://gallery.technet.microsoft.com/scriptcenter/Monitor-Active-Directory-4c4e04c7

    powershell script and I am testing now...

    Tuesday, December 11, 2012 9:05 AM
  • thanks, Daniel, for your quick reply! Unfortunately I need a script to monitor users added or removed daily in a security group. I've found some solutions and I am testing now.

    However I'll perfer vb script without the help of Quest CMDlets. Anyone able to help?

    http://www.windowsitpro.com/article/auditing/track-active-directory-changes

    vbs script; However it too complicated for me to comprehen, not a scripter by training

    http://gallery.technet.microsoft.com/scriptcenter/Monitor-Active-Directory-4c4e04c7

    powershell script and I am testing now...


    AD has auditing . Look it up in  help.  You can have the EL notify you when an audit item is triggered.  This is the best way to do this.

    ¯\_(ツ)_/¯

    Tuesday, December 11, 2012 12:56 PM
  • There is no way to tell when users are added to a group, unless you maintain a separate list of members and compare periodically to the actual group. Better would be to use AD auditing. See this link:

    http://technet.microsoft.com/en-us/library/cc737542(v=WS.10).aspx


    Richard Mueller - MVP Directory Services

    Tuesday, December 11, 2012 2:22 PM
    Moderator
  • hi Richard,

    I do not have access to the build in audit feature. Moreover windows 2003 AD will still require some form of scripting for email notification.

    I'll leave your post as answered to acknowledge your recommendation. The following powerscript works for me

    http://gallery.technet.microsoft.com/scriptcenter/Monitor-Active-Directory-4c4e04c7

    Wednesday, December 12, 2012 2:00 AM
  • hi Richard,

    I do not have access to the build in audit feature. Moreover windows 2003 AD will still require some form of scripting for email notification.

    I'll leave your post as answered to acknowledge your recommendation. The following powerscript works for me

    http://gallery.technet.microsoft.com/scriptcenter/Monitor-Active-Directory-4c4e04c7

    All Admins have access to the audit feature.

    WS2003 has a built-in task for emailing on events.  That has been part of Windows since Windows 2000 SP2. WMI eventing is how all third parties have built audit tracking for years.


    ¯\_(ツ)_/¯

    Wednesday, December 12, 2012 3:38 AM
  • hi jrv,

    Thank you for the explanation...I am not the domain admin and have only read access to directory.

    cheers,

    James

    Wednesday, December 12, 2012 6:12 AM
  • hi Jrv,

    Would you be able to share a link or KB on the aove suggestion for my reference.

    Wednesday, December 12, 2012 6:14 AM
  • hi Jrv,

    Would you be able to share a link or KB on the aove suggestion for my reference.

    I don't know of a KB.  It is in the documentation for Windows AD and in the online WMI documentation.

    If you do not have admin access then you cannot know when these things are completed.

    Start by having you admins set auditing on the group you want to monitor.  They will then have to give you access to the EventLog for the DC so you can query it.  If you can query the Security log then you can run a script everyday that reports on the audit event that is reported on the group.

    Your Domain Admins should know how to set security auditing on an AD object.


    ¯\_(ツ)_/¯

    Wednesday, December 12, 2012 11:21 AM