Use ADSI and Powershell to Monitor Group Access

Several years ago, I was tasked with putting together a script to output a list of all users and groups on a server. Additionally, management wanted to know the membership of the local groups. If the groups contained other groups, the contents of those groups should be listed as well.Here is a sample of the script output.

Report run time: 11/22/2017 12:14:56

Server [S1]
Local user accounts
 Anon000:Enabled
 Ctx_ConfigMgr:Enabled
 ctx_cpsvcuser:Enabled
 ctx_cpuuser:Enabled
 Ctx_StreamingSvc:Enabled
 Guest:Enabled
 administrator:Enabled

Local:Group:Administrators
 Local:User:Enabled:Administrator
    AD:Group:AnADGroup
   User:Enabled:user1
   User:Enabled:user2
   ...
   ...

Running the Script

  1. Download the ListAccess.zip and extract to a server running Powershell with the Active Directory Module installed.
  2. Create a text file with a list of the server names or ip's on which to report. One per line.
    • Name this file servers.txt, or execute the next step to change the file name in the script itself.
  3. Edit the ListAccess.ps1 file and change line 99 so that the file name represents the file name selected in the previous step.
    • Note, if the file containing the list of servers is named servers.txt, this step can be skipped.
  4. Open powershell and load the Active Directory module.
    • If you run Active Directory Module for Windows PowerShell, the Active Directory shell will be loaded automatically.
  5. Change to the folder containing the script and the list of servers
  6. Execute the report by entering .\ListAccess.ps1 and press enter.

Depending on the number of servers being processed, the script can take some time to complete.

Leave a Reply