Track Changes to Active Directory Users Attributes

Hi Readers,

We had a requirement to monitor Active Directory Users Attributes (Name,DisplayName,Department,Manager,DN,Title,l) for particular users.

After researching a bit on internet (so that we don’t have to write it from scratch if someone has already written it), we found a script for monitoring group membership but not AD attributes so we had used the script we found & modified it to monitor the above AD attributes.

As we are monitoring DN as well so we have used sid’s as input as that does’nt change, if userid is renamed.

Extract the zip file from below link & change the below attributes:

http://gallery.technet.microsoft.com/scriptcenter/Track-Changes-to-Active-854e407b

$Emailfrom   = “CMDBCHGMonitor@labtest.com”        

$Emailto   = “AmitKumar@labtest.com” 

$Emailbcc =”vikassukhija@labtest.com”        

$email1 = “vikassukhija@labtest.com”       (for error email, if script resulted in error)

$EmailServer  = “smtpserver” 

define the sid’s that you want to Monitor in Sids.txt file

Schedule it to run from task scheduler (script will extract the user attributes in csv file & compare it with old attributes csv, if there is a change, it will send email alert) –> On first run it will create a state csv so that on next run it can compare the changed attribute with this file.

Below ALert in email will be received:

Download Quest Management Shell (its a free shell) –> http://www.quest.com/powershell/activeroles-server.aspx

Note:- Script will not run without quest shell

######################################################################################################## 
#           Refrence: http://www.lazywinadmin.com/2013/10/powershell-monitor-and-report-active.html 
#           Modified by: Vikas Sukhija so that it can monitor AD attributes instead of Group membership 
#           Date:- 05/18/2014 
#           Description:- This script will Track changes to users AD attributes 
#                 
#########################################################################################################   
   
        # Monitor the following Users 
        $users =  get-content .\Sids.txt 
        # The report is saved locally  
        $ScriptPath = (Split-Path ((Get-Variable MyInvocation).Value).MyCommand.Path)  
        $DateFormat = Get-Date -Format "yyyyMMdd_HHmmss"  
 
        # Email information 
        $Emailfrom   = "CMDBCHGMonitor@labtest.com"  
        $Emailto   = "AmitKumar@labtest.com" 
    $Emailbcc ="vikassukhija@labtest.com"  
        $email1 = "vikassukhija@labtest.com" 
        $EmailServer  = "smtpserver"  
   
        # Quest Active Directory Snapin  
        If ((Get-PSSnapin | where {$_.Name -match "Quest.ActiveRoles.ADManagement"}) -eq $null) 
           { 
          Add-PSSnapin Quest.ActiveRoles.ADManagement 
       } 
         
     
 
FOREACH ($item in $users){ 
 
            # Let's get the Current state 
            $UserName = Get-Qaduser $item | Select-Object Name,DisplayName,Department,Manager,DN,Title,l,sid 
            $usrcsv =  $UserName.sid 
            $usrname = $UserName.Name 
 
            $EmailSubject = "PS MONITORING - $usrname Attributes Change"  
    
            # Store the user attributes in this file  
            $StateFile = ".\datastore\$($UserName.domain.name)_$($usrcsv)-Attributes.csv"  
            $ADCFile = ".\datastore\$($UserName.domain.name)_$($usrcsv)-ADCAttributes.csv" 
 
            $UserName | Export-csv $ADCFile -NoTypeInformation -Encoding Unicode 
    
            # If the file doesn't exist, create one 
 
            If (!(Test-Path $StateFile)){   
                $UserName | Export-csv $StateFile -NoTypeInformation -Encoding Unicode 
                } 
 
    
          # Now get current Attributes and start comparing it to the last lot we recorded  
             
       $Changes =  Compare-Object $(Import-Csv $ADCFile$(Import-Csv $StateFile-property Name,DisplayName,Department,Manager,DN,Title,l |  
                Select-Object Name,DisplayName,Department,Manager,DN,Title,l, @{n='State';e={If ($_.SideIndicator -eq "=>"){"Previous State" } Else { "Current State" } 
                                  } 
                    } 
        $Changes 
   
            # If we have some changes, mail them to $Email  
            If ($Changes) {   
                $body = $($Changes | Format-List | Out-String)  
                $msg = new-object Net.Mail.MailMessage 
                $smtp = new-object Net.Mail.SmtpClient($EmailServer) 
                $msg.From = $Emailfrom 
            $msg.To.Add($emailTo) 
         $msg.bcc.Add($Emailbcc) 
            $msg.Subject = $EmailSubject 
                $msg.Body = $body 
                $smtp.Send($msg) 
                }  
            #Save current state to the csv  
            $UserName | Export-csv $StateFile -NoTypeInformation -Encoding Unicode 
        } 
     
     
 
##########################end region script################ 
 
if ($error -ne $null) 
      { 
#SMTP Relay address 
$msg = new-object Net.Mail.MailMessage 
$smtp = new-object Net.Mail.SmtpClient($EmailServer) 
 
#Mail sender 
$msg.From = $Emailfrom 
#mail recipient 
$msg.To.Add($email1$msg.Subject = "CMDB attribute script Monitor Error" 
$msg.Body = $error 
$smtp.Send($msg$error.clear() 
       } 
  else 
 
      { 
    Write-host "no errors till now" 
 
      } 
###############################################################

Regards

Sukhija Vikas

http://msexchange.me

Advertisements

4 thoughts on “Track Changes to Active Directory Users Attributes

  1. Thanks for the sharing your valuable information.
    Due to hectic schedule in my work-station, I use Lepide Auditor for active directory i.e., http://www.lepide.com/active-directory-audit/ to audit the changes made in my active directory environment. This tool is an appropriate solution that audit all the critical changes at granular level and provide the report with real time monitoring. The feature like, instant alert make this tool more comprehensive that alerts instantly of all changes by sending customized email notification.

  2. OH MAN!!! I spent a week making a version of basically this, only mine doesn’t work nearly as well. Next time, google first code second.

    Thank you for posting this, lifesaver.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s