Active Directory

Monitoring User, Groups Changes in Active Directory – version 0.8

Little introduction

Event Monitoring solution written in PowerShell is an event library (Get-EventsLibrary.ps1) script that parses Security (mostly) logs on Domain Controllers. It has few reports capabilities including sending group membership changes, user changes, user lockouts, user creation, user password change. While many other scripts provide similar capabilities… It's most important thing is … WHO did the change, WHEN the change happend!

When setup as Task Schedule it can send daily, weekly, monthly, quarterly (and so on) reports to your email about changes happening in your domain.

For example:
You can easily see user being added or removed from Domain Admins group
You can easily change your HelpDesk agent did change of password for your boss 

In this version I've further optimized code and added some more health checks so that the process is a bit smoother. You can go straight to Get-EventsLibrary.ps1 if you don't fancy reading what has changed… although there was quite a lot of changes so I would encourage everyone to take a minute to read up.

PSWinReporting Information
Please notice this article contains parts of information (still useful) and may not reflect all functionalities of this module. For download, source code and so on you should refer to the dedicated PSWinReporting module page. After reading this one… of course! It contains useful informationexamples and know-how.
What has changed?
    [accordionitem] Basic – Rebuilt config file (again, sorry for that) – Rebuilt Test-Configuration to report what's wrong with configuration (limited capability) – Changes and fixes for Send-Mail function – Few other changes New Dates – ReportPastHour – if it's 23:22 it will report 22:00 till 23:00 – ReportCurrentHour – if it's 23:22 it will report 23:00 till 00:00 – ReportOnDay – weekly report – choose a day to send the report – ReportCurrentDayMinusDayX – goes back X days and shows just 1 day – ReportCurrentDayMinuxDaysX – goes back X days and shows all days till today – ReportCustomDate – custom dates New reports: – IncludeEventLogSize – – Preparations for IncludeGroupPolicyChanges – doesn't work yet (DO NOT SET TO TRUE) – Preparations for IncludeClearedLogs – doesn't work yet (DO NOT SET TO TRUE) – Preparations for IncludeLogonEvents – doesn't work yet (DO NOT SET TO TRUE) New options: – SendMail – setting deciding if report should be sent (you may want to just keep the XLSX/CSV files) – KeepReports – when set files are kept, if not files are deleted after sending – Added AsCSV – althought it's easier to work with Excel – JustTestPrerequisite – checks config file for errors and terminates [/accordionitem] [accordionitem] Basic – Fixed display issues with Write-Color inconsistency – Fixed small code optimizations – Added error handling for event listng (would error out on Windows 2003 controllers) – only Windows 2008/R2 and up are supported – Added Supported column – Moved Test-Prerequisite from config file to Library [/accordionitem] [accordionitem] Basic – Changed configuration settings – Added option to attach excel files instead of inline html tables – Added option to send via relay smtp (just put empty string in EmailServerLogin – probably port 25 but depends on configuration of server) – Added verification if modules are available – Added verification if Get-EventsLibrary.ps1 is available – Added verification if configuration is consistent (all required options defined) – doesn't check for values – this should prevent possible issues with new versions of Get-EventsLibrary.ps1 – Added report for custom dates – Added option to choose AsHTML or/and AsExcel – you can have Excel attached along with tables inline in email or just one of those [/accordionitem] [accordionitem] – First public version [/accordionitem]
What's new in this version - details

There were several features added and changes to configuration file.

Rebuilt config file (again, sorry for that)
Changes and fixes for Send-Mail function
Few other fixes

Support for new dates
ReportPastHour – if it's 23:22 it will report 22:00 till 23:00
ReportCurrentHour – if it's 23:22 it will report 23:00 till 00:00
ReportOnDay – weekly report – choose a day to send the report – essentially you can pick any day “Monday“, “Tuesday“, “Wednesday“, “Thursday” and so on. You can actually have it send report on “Monday”, “Friday” if you wish. 
ReportCurrentDayMinusDayX – goes back X days and shows just 1 day
ReportCurrentDayMinuxDaysX – goes back X days and shows all days till today
ReportCustomDate – custom dates, just in case you want to check something quickly 

New reports
IncludeEventLogSize – this one makes sure you're informed on how your logs are growing – it supports adding multiple log names. Below it shows Security log but you can put “Security”, “Application” and so on… as long as those exists on the system it will report for them.  

While 3 new options showed up… please do not use them as those are working incorrectly and may trigger your script into loop.

Preparations for IncludeGroupPolicyChanges – doesn't work yet (DO NOT SET TO TRUE)
Preparations for IncludeClearedLogs – doesn't work yet (DO NOT SET TO TRUE) – but the goal is to report who / when did the reset of logs. It's useful if someone wants to cover his tracks or has a habit of cleaning up logs. 
Preparations for IncludeLogonEvents – doesn't work yet (DO NOT SET TO TRUE)

New features

SendMail – setting deciding if report should be sent (you may want to just keep the XLSX/CSV files on filesystem)
KeepReports – when set files are kept, if not files are deleted after sending
AsCSV – although it's easier to work with Excel in some cases you may want to save reports to CSV.
New feature – JustTestPrerequisite – checks config file for errors and terminates. Additionally as part of this feature I've rebuilt Test-Configuration function to report what's wrong with configuration. This should give you idea what is missing in config files.

Known issues

At this moment there are several not finished features. The most visible are:

Configuration options – IncludeLogonEvents are not working correctly
Configuration options – IncludeDomainControllersReboots contains more information then needed
Configuration options – IncludeClearedLogs switch is not working
Configuration options – IncludeGroupPolicyChanges swich is not working yet (keeps reports saved by default)

This post was last modified on June 10, 2018 13:23

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys
Tags: active directoryevent logseventspowershellscript
6 years ago

Recent Posts

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

2 weeks ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

5 months ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

7 months ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

8 months ago

How to Efficiently Remove Comments from Your PowerShell Script

As part of my daily development, I create lots of code that I subsequently comment…

9 months ago

Unlocking PowerShell Magic: Different Approach to Creating ‘Empty’ PSCustomObjects

Today I saw an article from Christian Ritter, "PowerShell: Creating an "empty" PSCustomObject" on X…

9 months ago