Automating User Access Review

If you read my article on Automating User Access Reporting, you've probably understand that exporting security group membership from Active Directory is fairly simple. The challenge is that after all of those user's security group membership details have been exported, now they have to be reviewed. If you have more than 50 users, that's probably going to take quite a while. Who wants to read through text files for 4 hours trying to figure out if group membership has changed? Especially if your organization is required to do that every month?
This article demonstrates how to create a two-step process that eliminates 99% of the time spent on reviewing security group membership. When a new user is created using the New User Script (from my article called Onboarding New Users with PowerShell) the script assigns groups to the user and then exports a text file to a file server. The User Access Review script runs monthly, exports security group membership to a new location and compares the new file to the original file. If they match, no review is necessary. If not, an email is sent to the appropriate team notifying them of the change and asking for the permissions of the user to be reviewed.  

Click below to view the full .ps1 file on github

User Access Review.ps1

Note: It is likely that the Security and Distribution Groups in Active Directory are not the only place that user permissions are configured. Be sure to take your entire environment into consideration. It is likely this review will not be the only user access review needed for your environment.

Import the right modules
First things first, we need to import the modules required for this script to run. More here on Understanding Windows PowerShell Modules.
​

Import-Module Activedirectory

Define the Variables
Next we will set some variables. You'll need to decide where to save these text files. The $DTStamp variable is just a date-time stamp. The $Users variable is a list of all enabled user accounts in Active Directory. The $LogPath is the location that your logs will be saved each time this script runs. The $OriginalPath is the location of the logs that are generated by the New Hire script when the user is first created.

$DTStamp = Get-Date -Format u | foreach {$_ -replace ":", "-"}
$Users = (get-aduser -Filter 'enabled -eq $true').samaccountname
$LogPath = "\\FileServer\User Access Review\$DTStamp"
$OriginalPath = "\\FileServer\Original Group Membership"
$ChangedUsers = @()

​Next a folder is created with a date-time stamp as the name of the folder, so that the folder always has a unique name. Then we test the path to ensure the folder has been created.

# Create dated folder for logs
New-Item -ItemType directory -Path "$LogPath" | Out-Null 
Test-Path $LogPath | Out-Null

Define the Function
​This is the best part; where we define a function called Review_Access to do all the work of generating the log files and comparing them. For each enabled user in active directory we perform the following steps:

1. Get a list of groups that user is a member of
2. Export those groups to a log file named after the user
3. Compare the file hash of each file to ensure they are identical. 
   1. Note: There must be an original log file to compare the new file to. I accomplished this by running this script once without the $DTStamp variable in the file name and moving those logs to the $OriginalPath directory
4. Any mismatches are stored in the $ChangedUsers variable and emailed to the address in the $To variable

Here is the code for the function:

​# Define function to check user groups and add changed users to an array
Function Review_Access {
    foreach ($User in $Users) {
        #Set Variables
        $UserGroups = (Get-ADPrincipalGroupMembership $User).name | sort
        $Global:ReviewedLog = "$LogPath\$User $DTStamp.txt"
        
        #Create log file for User Access Review purposes
        Add-Content "$ReviewedLog" @"
User: 
$User

Groups: 
$UserGroups
"@
        $OriginalLog = "$OriginalPath\$User.txt"
        $HashMatch = (Get-FileHash "$ReviewedLog" -Algorithm SHA1).hash -eq (Get-FileHash "$OriginalLog" -Algorithm SHA1).hash
        if ($HashMatch -eq $false){
            $Global:ChangedUsers += "$User"
        }
    }
}
# Execute Review_Access function
Review_Access

Lastly, we define the email variables for notifying the appropriate team and then send the email.

# Email variables
$ErrorFile = "$LogPath\$DTStamp.txt"
$SMTPServer = "10.1.1.11"
$From = "NetworkNotification@mjfirm.com"
$To = "Helpdesk@mjfirm.com", "NetworkNotification@mjfirm.com"
$Subject = "User Access Review: $DTStamp"
$Body = @"
Team,

The User Access Review has been completed. If any user's security groups have changed they will be listed below. 

Please look at the following user's permissions to ensure they are still correct:
__$ChangedUsers __

If no users are listed above, no users have had their security groups change.

IT Department
Notification Automatically Generated by User Access Review.ps1 on Audit.mjfirm.local
"@

# Send email notification that the user access review has been completed
Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject $Subject -Body $Body

All that's left is to schedule the PowerShell script to run using the Task Scheduler. That's it! See my New Hire script and Termination script if automating either of those processes could benefit your organization.