I wrote a script, SecuritySnapShot.vbs, that takes a daily snapshot of key administrative groups and reports any changes to the membership of those groups. This script is easy to customize and use.
Customizing the Script
SecuritySnapShot.vbs monitors the groups you specify. Listing 1 shows an excerpt from this script. (You can download the entire script by clicking the Download the Code Here button.) As callout B in Listing 1 shows, the script is currently set up to monitor eight administrative groups, including Enterprise Admins, Schema Admins, and Domain Admins. Because the groups are defined within the code (i.e., hard-coded), it’s easy to add or remove groups as needed. You simply need to change the entries in the condit variable. The script then uses this variable in an Active Directory (AD) query, as callout C shows.
To determine whether there have been any changes to the groups' memberships, SecuritySnapShot.vbs looks back up to 31 days for previous snapshot files. You can increase or decrease this time span by simply changing the value of the x variable, which callout A in Listing 1 shows.
Using the Script
Here's an overview of how SecuritySnapShot.vbs works. When you run this script, it iterates through the collection returned by the AD query and writes each group's members to a text file, which I'll refer to as the snapshot file. The script saves this file to the C:\Temp directory, using a filename that consists of the domain's name and the current date (e.g., MyDomain12-4-2006.txt). If C:\Temp doesn’t exist on your PC, you need to either create the C:\Temp folder or change the script so that it points to another folder. Similarly, you can change the script so that it points to another folder if you want to save the snapshot file to a more secure location.
After creating the snapshot file, the script checks to see whether there’s a previous snapshot file. It searches as far back as 31 days, assuming you didn't change this default value. When the script doesn't find a previous snapshot file (i.e., it’s the first time the script is run or the script hasn't been run in the past 31 days), the script creates a Microsoft Excel spreadsheet. In the spreadsheet, the script adds a worksheet for each specified group and lists the group's members in that worksheet. When the script finds a previous snapshot file, it compares the current snapshot file with the previous snapshot file. The script then creates a spreadsheet that not only documents the current and previous membership information for each group but also summarizes the changes that have occurred.
People say that a picture is worth a thousand words, so let's look at some pictures of sample worksheets so that you know how to interpret the script's results. Let's say that you run SecuritySnapShot.vbs for the first time. Figure 1 and Figure 2 show sample output from this run. Figure 1, which contains the results for the Domain Admins group, shows the output in its simplest form. As column A shows, this group has three members: Administrator, Lanier, and Rene. You might be wondering about the purpose of column B. To answer that question, take a look at Figure 2, which shows the results for the Administrators group. Note that the Administrators group contains other groups. The strings in column B clearly identify nested groups by specifying the parent group followed by the child group, as cell B1 in Figure 2 shows. When the member is an account (Administrator or user) in a nested group, the account's name is listed after the parent.child group information, as cell B2 shows. So, with a single glance at column B, you know whether a group member is an account, a nested group, or an account in a nested group.
The worksheet tabs are color coded according to what a group contains. A blue tab indicates there are nested groups within a group. A gray tab tells you that there are only accounts as members. A red tab denotes that there are no members in the group or a group that was previously in the AD query was removed.
Let's say that after you run SecuritySnapShot.vbs, you add a user named Mike Boone (MikeB) to the Administrators group. When you run the script again, the script adds a worksheet named Differences, as Figure 3 shows. In this worksheet, Column A tells you that this account didn't previously exist. The group name (i.e., Administrators) is repeated in column B because you added the user to the parent group. The Administrators group might easily be a member of another group, such as Enterprise Admins. In that case, the entry would read Enterprise Admins~Administrators~MikeB.
Besides highlighting group-membership changes in the Differences worksheet, the script also provides a now and then comparison in the group worksheets. For example, Figure 4 shows the Administrators worksheet after Mike Boone was added to the Administrators group. As you can see, MikeB appears in the Administrators group on December 9 but not on December 7.
Let's now look at what happens when a member of a group is deleted. Let's say that you not only add Mike Boone to the Administrators group but also remove Lanier Collins from the Domain Admins and Administrators groups because he left the company. Figure 5 shows the Differences worksheet. Figure 6 shows the now and then comparison in the Domain Admins worksheet. Figure 7 shows the same type of comparison in the Administrators worksheet.
I wrote SecuritySnapShot.vbs for Windows Server 2003. The machine from which you run the script needs to have Excel 2003 or Excel XP. The script might not work with other versions of Excel because of differences in functionality.
Editor's note: This Reader to Reader item was a winning entry in the Know Your IT Security contest sponsored by Microsoft Learning Paths for Security.