I recommend that you run this to identify accounts that may have more access than you'd prefer. If you just add someone to a group temporarily, this can help save you from forgetting that they're a member (long term).
This covers #20 in my list of scheduled reports. Which I highly suggest that you check out...
#-------------------BEGIN SCRIPT---------------------------
#Add the snapin
add-pssnapin Quest.ActiveRoles.ADManagement
Specify a temp file
$TempFile = "c:\temp\GroupAudit.txt"
#Here we list the groups that we'd like to display members for
$Groups = `
"DOMAIN\Administrators",
"DOMAIN\DnsAdmins",
"DOMAIN\Domain Admins",
"DOMAIN\Enterprise Admins",
"DOMAIN\Exchange Admins",
"DOMAIN\Schema Admins"
#For each group, add a header, then output the members of the group. Pipe everything to the temp file
Foreach ($Group in $Groups){
$Header = "`r`nThe current members of the $group group are:"
$Header | Add-Content $TempFile
get-qadgroup $Group | get-qadgroupmember | add-content $TempFile
} #End Foreach
#Get the content of the temp file to form the body of the email
$body = (get-content $TempFile | out-string)
#Specify Email variables
$From = "helpdesk@DOMAIN.org"
$Subject = "PS Report - Sensitive AD Group Memberships"
$To = "me@DOMAIN.org"
$SMTPServer = "smtpserver.DOMAIN.org
#Send the email
Send-MailMessage -To $To -Subject $Subject -Body $body -From $From -SmtpServer $SMTPServer
#Delete the temp file
Remove-Item $TempFile
#-------------------END SCRIPT---------------------------
No comments:
Post a Comment