If you read my article on Automating User Access Reporting, you've probably understand that exporting security group membership from Active Directory is fairly simple. The challenge is that after all of those user's security group membership details have been exported, now they have to be reviewed. If you have more than 50 users, that's probably going to take quite a while. Who wants to read through text files for 4 hours trying to figure out if group membership has changed? Especially if your organization is required to do that every month? This article demonstrates how to create a two-step process that eliminates 99% of the time spent on reviewing security group membership. When a new user is created using the New User Script (from my article called Onboarding New Users with PowerShell) the script assigns groups to the user and then exports a text file to a file server. The User Access Review script runs monthly, exports security group membership to a new location and compares the new file to the original file. If they match, no review is necessary. If not, an email is sent to the appropriate team notifying them of the change and asking for the permissions of the user to be reviewed. Click below to view the full .ps1 file on github Note: It is likely that the Security and Distribution Groups in Active Directory are not the only place that user permissions are configured. Be sure to take your entire environment into consideration. It is likely this review will not be the only user access review needed for your environment. Import the right modules First things first, we need to import the modules required for this script to run. More here on Understanding Windows PowerShell Modules. Import-Module Activedirectory Define the Variables Next we will set some variables. You'll need to decide where to save these text files. The $DTStamp variable is just a date-time stamp. The $Users variable is a list of all enabled user accounts in Active Directory. The $LogPath is the location that your logs will be saved each time this script runs. The $OriginalPath is the location of the logs that are generated by the New Hire script when the user is first created. $DTStamp = Get-Date -Format u | foreach {$_ -replace ":", "-"} Next a folder is created with a date-time stamp as the name of the folder, so that the folder always has a unique name. Then we test the path to ensure the folder has been created. # Create dated folder for logs Define the Function This is the best part; where we define a function called Review_Access to do all the work of generating the log files and comparing them. For each enabled user in active directory we perform the following steps:
Here is the code for the function: # Define function to check user groups and add changed users to an array Lastly, we define the email variables for notifying the appropriate team and then send the email. # Email variables All that's left is to schedule the PowerShell script to run using the Task Scheduler. That's it! See my New Hire script and Termination script if automating either of those processes could benefit your organization.
|
RepositoriesAuthorSheridan's interests are in technology, business, music, and adventures Categories
All
Archives
June 2019
|