Let me start this one off by saying this is not an optimal solution, but in a pinch it gets the job done. Also, I kind of rushed this so there is a lot of code and it could definitely be shortened up if so desired.
Now that that is out of the way, the following script monitors groups that you wish monitor on a white list basis. This means it requires a lot of upkeep if you are in a rapidly changing environment, but luckily I am not. It is quite simple to add groups should you need to so that’s a plus. In the event of someone being added to one of the groups that isn’t on the corresponding white list, you will get an email notification. I just deploy the script as a scheduled task that runs every hour. Simple but effective.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
################ #SMTP Variables# ################ $strSMTPServer = "SMTPSERVER" $strSMTPTo = "AnotherITGuy <anotheritguy@domain.com>" $strSMTPFrom = "ALERT - DOMAIN GROUP MEMBERSHIP <alerts@domain.com>" ############################ #More Variables & Functions# ############################ #Domain Controller $strDomainController = "DC01.DOMAIN.COM" #Monitored Groups $arrDomainAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Domain Admins" $arrEnterpriseAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Enterprise Admins" $arrSchemaAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Schema Admins" $arrvCenterAdmins = Get-ADGroupMember -Server $strDomainController -Identity "VCenter Admins" #Monitored Groups Member Names $arrDomainAdminsNames = $arrDomainAdmins.Name $arrEnterpriseAdminsNames = $arrEnterpriseAdmins.Name $arrSchemaAdminsNames = $arrSchemaAdmins.Name $arrvCenterAdminsNames = $arrvCenterAdmins.Name #Monitored Groups White Lists $arrWLDomainAdmins = Get-Content E:\WLs\arrDomainAdmins.txt $arrWLEnterpriseAdmins = Get-Content E:\WLs\arrEnterpriseAdmins.txt $arrWLSchemaAdmins = Get-Content E:\WLs\arrSchemaAdmins.txt $arrWLvCenterAdmins = Get-Content E:\WLs\arrVCenterAdmins.txt #Domain Admins Eval function Eval-DomainAdmins($Username) { foreach($tmpUsername in $arrWLDomainAdmins) { if($tmpUsername -eq $Username) { return $true } } return $false } #Enterprise Admins Eval function Eval-EnterpriseAdmins($Username) { foreach($tmpUsername in $arrWLEnterpriseAdmins) { if($tmpUsername -eq $Username) { return $true } } return $false } #Schema Admins Eval function Eval-SchemaAdmins($Username) { foreach($tmpUsername in $arrWLSchemaAdmins) { if($tmpUsername -eq $Username) { return $true } } return $false } #vCenter Admins Eval function Eval-vCenterAdmins($Username) { foreach($tmpUsername in $arrWLvCenterAdmins) { if($tmpUsername -eq $Username) { return $true } } return $false } ################ #Let's Do Stuff# ################ #Domain Admins foreach($tmpUsername in $arrDomainAdminsNames) { if((Eval-DomainAdmins -Username $tmpUsername) -eq $false) { Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Domain Admins" -Body "$tmpUsername has not been authorized for Domain Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP." } } #Enterprise Admins foreach($tmpUsername in $arrEnterpriseAdminsNames) { if((Eval-EnterpriseAdmins -Username $tmpUsername) -eq $false) { Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Enterprise Admins" -Body "$tmpUsername has not been authorized for Enterprise Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP." } } #Schema Admins foreach($tmpUsername in $arrSchemaAdminsNames) { if((Eval-SchemaAdmins -Username $tmpUsername) -eq $false) { Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Schema Admins" -Body "$tmpUsername has not been authorized for Schema Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP." } } #vCenter Admins foreach($tmpUsername in $arrvCenterAdminsNames) { if((Eval-vCenterAdmins -Username $tmpUsername) -eq $false) { Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in vCenter Admins" -Body "$tmpUsername has not been authorized for VCenter Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP." } } |
