The script below uses the security event log on defined DCs within your Active Directory to export events related to certain activities. Eventually the script will export this even to an email and send it to you as a report – if needed.
As is – the script will specifically look for those events
- 4724 – a user password was reset by an administrator respective via Active Directory Users and Groups MMC (or similar)
- 4728 – a user was added to a security group
- 4729 – a user was removed from a security group
There are more events – specifically events related to adding/removing users from distribution groups etc. – for the purpose of for what I wrote the script, I did not need this. Still, I thought it is worth publishing this, as others might find it helpful.
To add more events – just adjust line 19 – eventually just add more “or EventID=1234” statements – should be rather easy… in theory you could build that out as a parameter as well and inject it via the script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | param( [string] $DomainControllers = "", [bool] $FullDetails = $false, [int] $HoursInThePast = 24, [bool] $SendMail = $false, [string] $SMTPfrom = "", [string] $SMTPto = "", [string] $SMTPsubject = "", [string] $SMTPserver = "" ) #4724 - user PW reset by admin #4728 - user added to security group #4729 - user removed from security group $Query = @" <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select> </Query> </QueryList> "@ If ($DomainControllers.Length -eq 0) { Import-Module ActiveDirectory $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name ForEach($DC In $DomainControllers) { Write-Host "checking DC: $DC" $OutPut += "Export from DC: $DC" $OutPut += "" If ($FullDetails) { $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String } Else { $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String } } } Else { $DCs = $DomainControllers.Split(',') foreach ($DomainController in $DCs) { Write-Host "checking DC: $DomainController" $OutPut += "Export from DC: $DomainController" $OutPut += "" If ($FullDetails) { $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String } Else { $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String } } } $OutPut if ($SendMail) { Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver } |
