Automating User Access Reporting with PowerShell

Have you ever needed a list of all of your users and the Security Groups they belong to? Often organizations find themselves with a business need to periodically report the permissions that users have in the environment. This is usually for auditing or information assurance purposes. Whatever your reasons, below this article will cover how to write a PowerShell script that can be used to schedule the generation of a CSV file that contains a list of all users and their group membership. ​

Click below to view the full script on github

User Access Review.ps1

Note: It is likely that the Security and Distribution Groups in Active Directory are not the only place that user permissions are configured. Be sure to take your entire environment into consideration. It is likely this report will not be the only report needed to show user access in your environment.

First things first, we need to import the modules required for this script to run. Here is more on Understanding Windows PowerShell Modules.

Import-Module Activedirectory

Next we should set the variables needed to save the report. We will put the date of report generation in the title of the file to keep the files from running into file name conflicts.

$date = Get-Date -UFormat "%Y-%m-%d"
$ReportPath = "\\FileServer\Reports"
$ReportName = $date

Next it's time to generate a list of users and their groups. We use the pipe to accomplish this, but a foreach statement would also have worked here. We're also sorting the list alphabetically and exporting the list into a .csv file. ​

Get-ADUser -Filter * -Properties DisplayName,memberof | % {
    New-Object PSObject -Property @{
        UserName = $_.DisplayName
        Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
        }
     } | Select UserName,Groups | sort UserName | Export-Csv -path "$ReportPath\$ReportName-ADUCPermissions.csv" -NTI

Lastly, we'll want to notify the team responsible for reviewing the permissions now that the report is ready. It would also be possible to automate this review by keeping a master list of users and their groups. Keep in mind that the list would have to be updated after every New Hire and Termination. See my New Hire script  and Termination script if automating either of those processes could benefit your organization.

​     # Set email variables
     $SMTPServer = "9.9.9.9"
     $From = "InfoSec@doman.com"
     $To = "team@domain.com"
     $Subject = "Monthly User Permissions Report"
     $Body = @"
     Team,      
     The Monthly User Permissions Report is ready and available for viewing at: 
     "$ReportPath\$ReportName-ADUCPermissions.csv"      
     The Monthly User Permissions Report shows all domain users and every Security Group and Distrubution     Group that user is a member of.

     Thanks!
     InfoSec Team
     "@

     # Send the email 
     Send-MailMessage -From "$From" -To "$To" -Subject "$Subject" -Body "$Body" -smtpServer $SMTPServer

Now all that's left is to schedule this script to run at the desired frequency. I'd suggest monthly. This can be done with Task Scheduler. For some help on scheduling PowerShell scripts to run, check out Run PowerShell Scripts on a Schedule.