Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

Monitoring User, Groups Changes in Active Directory – version 0.8

img_5ad658be73778
Little introduction

Event Monitoring solution written in PowerShell is an event library (Get-EventsLibrary.ps1) script that parses Security (mostly) logs on Domain Controllers. It has few reports capabilities including sending group membership changes, user changes, user lockouts, user creation, user password change. While many other scripts provide similar capabilities… It's most important thing is … WHO did the change, WHEN the change happend!

When setup as Task Schedule it can send daily, weekly, monthly, quarterly (and so on) reports to your email about changes happening in your domain.

For example:
You can easily see user being added or removed from Domain Admins group
You can easily change your HelpDesk agent did change of password for your boss 

In this version I've further optimized code and added some more health checks so that the process is a bit smoother. You can go straight to Get-EventsLibrary.ps1 if you don't fancy reading what has changed… although there was quite a lot of changes so I would encourage everyone to take a minute to read up.

PSWinReporting Information
Please notice this article contains parts of information (still useful) and may not reflect all functionalities of this module. For download, source code and so on you should refer to the dedicated PSWinReporting module page. After reading this one… of course! It contains useful informationexamples and know-how.
What has changed?
    [accordionitem] Basic – Rebuilt config file (again, sorry for that) – Rebuilt Test-Configuration to report what's wrong with configuration (limited capability) – Changes and fixes for Send-Mail function – Few other changes New Dates – ReportPastHour – if it's 23:22 it will report 22:00 till 23:00 – ReportCurrentHour – if it's 23:22 it will report 23:00 till 00:00 – ReportOnDay – weekly report – choose a day to send the report – ReportCurrentDayMinusDayX – goes back X days and shows just 1 day – ReportCurrentDayMinuxDaysX – goes back X days and shows all days till today – ReportCustomDate – custom dates New reports: – IncludeEventLogSize – – Preparations for IncludeGroupPolicyChanges – doesn't work yet (DO NOT SET TO TRUE) – Preparations for IncludeClearedLogs – doesn't work yet (DO NOT SET TO TRUE) – Preparations for IncludeLogonEvents – doesn't work yet (DO NOT SET TO TRUE) New options: – SendMail – setting deciding if report should be sent (you may want to just keep the XLSX/CSV files) – KeepReports – when set files are kept, if not files are deleted after sending – Added AsCSV – althought it's easier to work with Excel – JustTestPrerequisite – checks config file for errors and terminates [/accordionitem] [accordionitem] Basic – Fixed display issues with Write-Color inconsistency – Fixed small code optimizations – Added error handling for event listng (would error out on Windows 2003 controllers) – only Windows 2008/R2 and up are supported – Added Supported column – Moved Test-Prerequisite from config file to Library [/accordionitem] [accordionitem] Basic – Changed configuration settings – Added option to attach excel files instead of inline html tables – Added option to send via relay smtp (just put empty string in EmailServerLogin – probably port 25 but depends on configuration of server) – Added verification if modules are available – Added verification if Get-EventsLibrary.ps1 is available – Added verification if configuration is consistent (all required options defined) – doesn't check for values – this should prevent possible issues with new versions of Get-EventsLibrary.ps1 – Added report for custom dates – Added option to choose AsHTML or/and AsExcel – you can have Excel attached along with tables inline in email or just one of those [/accordionitem] [accordionitem] – First public version [/accordionitem]
What's new in this version - details

There were several features added and changes to configuration file.

Rebuilt config file (again, sorry for that)
Changes and fixes for Send-Mail function
Few other fixes

Support for new dates
ReportPastHour – if it's 23:22 it will report 22:00 till 23:00
ReportCurrentHour – if it's 23:22 it will report 23:00 till 00:00
ReportOnDay – weekly report – choose a day to send the report – essentially you can pick any day “Monday“, “Tuesday“, “Wednesday“, “Thursday” and so on. You can actually have it send report on “Monday”, “Friday” if you wish. 
ReportCurrentDayMinusDayX – goes back X days and shows just 1 day
ReportCurrentDayMinuxDaysX – goes back X days and shows all days till today
ReportCustomDate – custom dates, just in case you want to check something quickly 

New reports
IncludeEventLogSize – this one makes sure you're informed on how your logs are growing – it supports adding multiple log names. Below it shows Security log but you can put “Security”, “Application” and so on… as long as those exists on the system it will report for them.  

While 3 new options showed up… please do not use them as those are working incorrectly and may trigger your script into loop.

Preparations for IncludeGroupPolicyChanges – doesn't work yet (DO NOT SET TO TRUE)
Preparations for IncludeClearedLogs – doesn't work yet (DO NOT SET TO TRUE) – but the goal is to report who / when did the reset of logs. It's useful if someone wants to cover his tracks or has a habit of cleaning up logs. 
Preparations for IncludeLogonEvents – doesn't work yet (DO NOT SET TO TRUE)

New features

SendMail – setting deciding if report should be sent (you may want to just keep the XLSX/CSV files on filesystem)
KeepReports – when set files are kept, if not files are deleted after sending
AsCSV – although it's easier to work with Excel in some cases you may want to save reports to CSV.
New feature – JustTestPrerequisite – checks config file for errors and terminates. Additionally as part of this feature I've rebuilt Test-Configuration function to report what's wrong with configuration. This should give you idea what is missing in config files.

Known issues

At this moment there are several not finished features. The most visible are:

Configuration options – IncludeLogonEvents are not working correctly
Configuration options – IncludeDomainControllersReboots contains more information then needed
Configuration options – IncludeClearedLogs switch is not working
Configuration options – IncludeGroupPolicyChanges swich is not working yet (keeps reports saved by default)

Posty powiązane