Powershell Auditing Server ADUC



  • In the ever evolving needs - I need to perform an audit on ADUC - and queue in Powershell which seems to be the tool to do something like this.

    I found this Active Directory Audit Report With Powershell which does a splendid job, but doesn't seem to cover the User OUs.

    The HTML report is nice on this... reads easy, and decently formatted (huh,.. after 152,000+ days, guess THAT password should be reviewed)

    But - I need to show ever user, and this just doesn't. I'm sure the could be changed a bit to do so,.. but am curious if there is something better - and am looking - but wished to share this, and ask if anyone has come across a PS script to list each user, and their security groups, GPO and such...



  • This powershell script should pull in what you need.

    Import-Module Activedirectory
    
    $credentials = Get-Credential
    
    
    
    $groups = Get-ADGroup -Properties DistinguishedName -Filter * DistinguishedName
    
    Foreach ($g in $groups)
    
    
    
    {
    
        Write-Host $g.Name
    
        Write-Host "---------"
    
        Write-Host "         "
    
        $g.Members
    
    
    
    }


  • Or you can use my more advanced script which pulls in a bit more

    # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when
    
    # setting up new hire employees or reviewing domain membership permissions.
    
    
    
    # It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so.
    
    
    
    # Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships.
    
    # As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. 
    
    # Any changes to this script are the responsibility of the person/organization which made said changes. 
    
    
    
    # We cannot be held responsible for your misuse or misunderstanding of this script as it was designed.
    
    #
    
    #
    
    #
    
    
    
    #
    
    # Imports Active Directory information 
    
    Import-Module Activedirectory
    
    $credentials = Get-Credential
    
    # Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
    
    Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
    
      New-Object PSObject -Property  @{
    
    	UserName = $_.DisplayName 
    
        EmailAddress = $_.EmailAddress
    
        DistinguishedName = $_.DistinguishedName
    
        Enabled = $_.Enabled
    
    # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
    
    	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
    
    	}
    
    # The export path is variable change to desired location on domain controller or end user computer. 
    
    } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI
    
    
    
    
    
    #Function Get-SaveFile($initialDirectory)
    
    #{ 
    
    #[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") |
    
    #Out-Null
    
    #
    
    #$SaveFileDialog = New-Object System.Windows.Forms.SaveFileDialog
    
    #$SaveFileDialog.initialDirectory = $initialDirectory
    
    #$SaveFileDialog.filter = "All files (*.*)| *.*"
    
    #$SaveFileDialog.ShowDialog() | Out-Null
    
    #$SaveFileDialog.filename
    
    #} 
    
    #
    
    #
    
    # open dialog box to select the .nessuss file. 
    
    #$InputFile = Get-OpenFile
    
    #$OutputFile = Get-SaveFile
    
    #
    
    #
    
    #$Contents = [io.file]::ReadAllText($inputfile)
    
    #$Contents = [io.file]::ReadAllText('C:\tools\wd\nessus\data\data.xml')
    
    #$Global:OutFile = [System.IO.StreamWriter] "c:\tools\wd\nessus\outfile.csv"
    
    #
    
    ##$InputFile
    
    #$OutputFile
    
    #


  • @dustinb3403 said in Powershell Auditing Server ADUC:

    Or you can use my more advanced script which pulls in a bit more

    <<-->>

    Other than the location at the bottom - are there any other changes needed? I have changed the file location to reflect what I needed, and receive no output or errors.



  • @gjacobse

    You should just need to run this bit, nothing should have to be changed. DFL should be at least 2008

    # Imports Active Directory information 
    
    
    
    Import-Module Activedirectory
    
    
    
    $credentials = Get-Credential
    
    
    
    # Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
    
    
    
    Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
    
    
    
      New-Object PSObject -Property  @{
    
    
    
    	UserName = $_.DisplayName 
    
    
    
        EmailAddress = $_.EmailAddress
    
    
    
        DistinguishedName = $_.DistinguishedName
    
    
    
        Enabled = $_.Enabled
    
    
    
    # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
    
    
    
    	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
    
    
    
    	}
    
    
    
    # The export path is variable change to desired location on domain controller or end user computer. 
    
    
    
    } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI