Auditing: Audit AD Groups

This script will perform AD group member auditing by fetching all AD Groups and their members and then email the owner of that group a list to be checked to ensure they are still correct.

It utalises the Description field for the group name e.g Sales File Share or Sales Distribution Group and the MangedBy property to then fetch the owners name and email address from the Mail field of the user.

For any group that does not have a ManagedBy user a separate email will be sent to an address of your choosing stating that there is no owner and to check the members and find an appropriate owner.

#***Settings***
#Searchbase - the OU that it gets the groups from
$SearchBase = "OU=Groups,DC=roggy,DC=uk"
#SearchScope - OneLevel means it will search only that OU and not any sub OUs
$SearchScope = "OneLevel"
#DefaultEmailAddress - The email address to send the list to when there is no owner
$NoOwnerEmailAddress = "SupportDesk@roggy.uk"
#DefaultName - The default name to be used when there is no owner
$NoOwnerName = "Support Desk"
#Email from address
$MailFrom = "Auditing@roggy.uk"
#SMTP Server Address
$SMTPServer = "SMTP01.roggy.uk"

#Fetching Groups
$Groups = Get-ADGroup -filter * -SearchBase $SearchBase -SearchScope $SearchScope -Properties ManagedBy, Members, Description
ForEach ($Group in $Groups)
{

#Get owner email address and display name
If ($Group.ManagedBy)
{
$OwnerEmail = (Get-ADUser $Group.ManagedBy -Properties Mail).Mail
$OwnerName = (Get-ADUser $Group.ManagedBy -Properties Name).Name
}

Else
{
$OwnerEmail = $Null
$OwnerName = $Null

}
#Get each members DisplayName from their DisinguishedName

$MemberNames = ForEach ($Member In $Group.Members) { (($Member.Split(","))[0]).Replace("CN=", "") }

#Sending Email
If ($OwnerName -eq $Null)
{
Send-MailMessage -From $MailFrom -To $NoOwnerEmailAddress -SmtpServer $SMTPServer -BodyAsHtml -Subject "$($group.Description) Group User Audit" -Body "Hello $NoOwnerName,

There is no owner listed for the $($group.description) group. The following people are members of the $($group.description):

$($MemberNames -join "
")

Please can you log a ticket to confirm that this list is still corrrect and try and find a suitable owner for this group.

Kind Regards

Roggy IT Dept"
}

Else
{
Send-MailMessage -From $MailFrom -To $OwnerEmail -SmtpServer $SMTPServer -BodyAsHtml -Subject "$($group.Description) Group User Audit" -Body "Hello $ownername,

You are listed as the owner of the $($group.description) group. The following people are members of the $($group.description):

$($MemberNames -join "
")

Please can you confirm that this list is still correct and reply to this email with any required changes.

Kind Regards

Roggy IT Dept"
}
}

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: