Thursday
Nov122009

Documenting Active Directory Group Membership

So we are pursuing a number of compliance designations at the grind and need to demonstrate membership in certain AD groups.  We then need to review the groups' membership lists periodically to ensure no unauthorized users have been added.

Naturally we have a number of BUILTIN groups ("Domain Admins," "Enterprise Admins," et cetera) that we keep tabs on, but also there's groups we've created to manage our own specific environment that we need to review.

I wrote a series of scripts that

1. Look at a .txt file populated with the groups we identified as sensitive

2. Outputs the membership lists to Excel in an easily readable format.

First thing is we call GROUPCHECKER.bat.  This file finds the current date and time, creates a directory to dump the logs to, and finally calls GROUPCHECKERREPORT.vbs which formats everything into Excel.

Here's the GROUPCHECKER.bat:

Now for GROUPCHECKERREPORT.vbs which the prior GROUPCHECKER.bat would call:

Finally here is the "answer" file. Simply put in the group names that you want to monitor each month prefaced by the name of the domain in which the groups reside. If you haven't figured out already the code samples reflect a domain of ryanboyer.net and a corresponding Dfs namespace of \\ryanboyer.net\. Simply paste this into the GROUPCHECKERANSWER.txt file as is to monitor most of the sensitive BUILTIN groups contained in the default Active Directory installation.

The one caveat I've found is that Excel has a limit on the number of characters in the worksheet name. So for long, descriptive group names, you'll want to make good use of "Left", "Right", and "Trim" in VBscript. So something like this would need to be added to the GROUPCHECKER.vbs starting at about line 33 (I've overlapped the code below as a reference):

The output of this will be a neat little .xls document with a summary page of the total number of members in each group.  It will have supplemental worksheets (named for the group or its abbreviation) that list the actual members. 

You can then forward on to your superiors for a quick and easy way to see who's got access to what.