Script to Create a Report of Members of Privileged Groups

by Jeremy Saunders on June 9, 2014

This PowerShell script will create a report of users that are members of the following privileged groups:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Cert Publishers
  • Administrators
  • Account Operators
  • Server Operators
  • Backup Operators
  • Print Operators

This is the default list of privileged groups I’ve set, but you can adjust the privileged groups directly within the getForestPrivGroups function if needed.

The original script was written by Doug Symalla from Microsoft and posted onto the TechNet Script Center: List Membership In Privileged Groups

This was accompanied by two TechNet Blogs:

The script was okay, but needed several updates to be more accurate and bug free. As Doug had not published an update since 26th April 2013, I though that I would. The changes I made are documented in the script.

The following screen shot is the output from a recent Active Directory Health Check I completed:

Privileged Users Console Output

The following screen shot is a snippet of the detailed output that it writes to a CSV file. An explanation of the columns is:

  • SamAccountName = The SamAccountName of the user.
  • DistinguishedName = The DistinguishedName of the user.
  • MemberOf = The DistinguishedName of the privileged group the user is a member of.
  • PasswordAge = The password age.
  • LastLogon = Last Logon Time Stamp. Helps to decide if it’s still in use/current.
  • LastLogonInDays = Current date – Last Logon Time Stamp. Also helps to decide if it’s still in use/current.
  • Disabled = Is the account disabled? Helps to decide if it can be removed from the group.
  • PasswordNeverExpires = Is the password set to never expire?
  • AccountExpires = When does or did the account expire, or is it set to never expire?
  • Description = Not visible in this screen shot. But this column is the description of the account as set in Active Directory. This helps explain its usage, if not obvious.
  • Notes = Not visible in this screen shot. But this column contains any notes made about the account as set in Active Directory. This also helps explain its usage, if not obvious.

Privileged Users CSV Output

IMPORTANT: From the output you’ll notice that there are a lot of user accounts in the Built-In Administrators group. This can be alarming at first pass, but important to understand that by default the Domain Admins group is a member of the Built-In Administrators group. Therefore, users in the Domain Admins group will also appear as a user of the Built-In Administrators group in this report. Likewise, by default the Enterprise Admins group is also a member of the Built-In Administrators group. My advice is to not focus on the Built-In Administrators group first. But rather reduce your Domain Admins and Enterprise Admins, which in turn will clear up the Built-In Administrators group too.

Here is the Get-PrivilegedUsersReport.ps1 script:

<#
  This script will create a report of users that are members of the following
  privileged groups:
  - Enterprise Admins
  - Schema Admins
  - Domain Admins
  - Cert Publishers
  - Administrators
  - Account Operators
  - Server Operators
  - Backup Operators
  - Print Operators

  A summary report is output to the console, whilst a full report is exported
  to a CSV file.

  The original script was written by Doug Symalla from Microsoft:
  - http://blogs.technet.com/b/askpfeplat/archive/2013/04/08/audit-membership-in-privileged-active-directory-groups-a-second-look.aspx
  - http://gallery.technet.microsoft.com/scriptcenter/List-Membership-In-bff89703

  The script was okay, but needed some updates to be more accurate and
  bug free. As Doug had not updated it since 26th April 2013, I though
  that I would. The changes I made are:

  1. Addressed a bug with the member count in the main section.
     Changed...
       $numberofUnique = $uniqueMembers.count
     To...
       $numberofUnique = ($uniqueMembers | measure-object).count
  2. Addressed a bug with the $colOfMembersExpanded variable in the
     getMemberExpanded function
     Added...
       $colOfMembersExpanded=@()
  3. Enhanced the main section
  4. Enhanced the getForestPrivGroups function
  5. Enhanced the getUserAccountAttribs function
  6. Added script variables
  7. Added the accountExpires and info attributes
  8. Enhanced description of object members (AKA csv headers) so that
     it's easier to read.

  Script Name: Get-PrivilegedUsersReport.ps1
  Release 1.2
  Modified by Jeremy@jhouseconsulting.com 13/06/2014

#>
#-------------------------------------------------------------
# Set this to maximum number of unique members threshold
$MaxUniqueMembers = 25

# Set this to maximum password age threshold
$MaxPasswordAge = 365

# Set this to true to privide a detailed output to the console
$DetailedConsoleOutput = $False
#-------------------------------------------------------------

##################   Function to Expand Group Membership ################
function getMemberExpanded
{
        param ($dn)

        $colOfMembersExpanded=@()
        $adobject = [adsi]"LDAP://$dn"
        $colMembers = $adobject.properties.item("member")
        Foreach ($objMember in $colMembers)
        {
                $objMembermod = $objMember.replace("/","\/")
                $objAD = [adsi]"LDAP://$objmembermod"
                $attObjClass = $objAD.properties.item("objectClass")
                if ($attObjClass -eq "group")
                {
			  getmemberexpanded $objMember
                }
                else
                {
			$colOfMembersExpanded += $objMember
		}
        }
$colOfMembersExpanded
}    

########################### Function to Calculate Password Age ##############
Function getUserAccountAttribs
{
                param($objADUser,$parentGroup)
		$objADUser = $objADUser.replace("/","\/")
                $adsientry=new-object directoryservices.directoryentry("LDAP://$objADUser")
                $adsisearcher=new-object directoryservices.directorysearcher($adsientry)
                $adsisearcher.pagesize=1000
                $adsisearcher.searchscope="base"
                $colUsers=$adsisearcher.findall()
                foreach($objuser in $colUsers)
                {
                	$dn = $objuser.properties.item("distinguishedname")
	                $sam = $objuser.properties.item("samaccountname")
        	        $attObjClass = $objuser.properties.item("objectClass")
			If ($attObjClass -eq "user")
			{
				$description = $objuser.properties.item("description")[0]
				$notes = $objuser.properties.item("info")[0]
                		If (($objuser.properties.item("lastlogontimestamp") | Measure-Object).Count -gt 0) {
                		  $lastlogontimestamp = $objuser.properties.item("lastlogontimestamp")[0]
                		  $lastLogon = [System.DateTime]::FromFileTime($lastlogontimestamp)
                		  $lastLogonInDays = ((Get-Date) - $lastLogon).Days
                		  if ($lastLogon -match "1/01/1601") {
                                    $lastLogon = "Never logged on before"
                		    $lastLogonInDays = "N/A"
                                  }
                		} else {
                		  $lastLogon = "Never logged on before"
                		  $lastLogonInDays = "N/A"
                		}
                		$accountexpiration = $objuser.properties.item("accountexpires")[0]
                		If (($accountexpiration -eq 0) -OR ($accountexpiration -gt [DateTime]::MaxValue.Ticks)) {
                		  $accountexpires = "<Never>"
                		} else {
                		  $accountexpires = [datetime]::fromfiletime([int64]::parse($accountexpiration))
                		}

        	        	$pwdLastSet=$objuser.properties.item("pwdLastSet")
                		if ($pwdLastSet -gt 0)
                        	{
                        		$pwdLastSet = [datetime]::fromfiletime([int64]::parse($pwdLastSet))
                                	$PasswordAge = ((get-date) - $pwdLastSet).days
                        	}
                        	Else {$PasswordAge = "<Not Set>"}
                		$uac = $objuser.properties.item("useraccountcontrol")
                        	$uac = $uac.item(0)
                		if (($uac -bor 0x0002) -eq $uac) {$disabled="TRUE"}
                        	else {$disabled = "FALSE"}
                        	if (($uac -bor 0x10000) -eq $uac) {$passwordneverexpires="TRUE"}
                        	else {$passwordNeverExpires = "FALSE"}
                        }
                        $record = "" | select-object SamAccountName,DistinguishedName,MemberOf,PasswordAge,LastLogon,LastLogonInDays,Disabled,PasswordNeverExpires,AccountExpires,Description,Notes
                        $record.SamAccountName = [string]$sam
                        $record.DistinguishedName = [string]$dn
                        $record.MemberOf = [string]$parentGroup
                        $record.PasswordAge = $PasswordAge
                        $record.LastLogon = $lastLogon
                        $record.LastLogonInDays = $lastLogonInDays
                        $record.Disabled = $disabled
                        $record.PasswordNeverExpires = $passwordNeverExpires
                        $record.AccountExpires = $accountexpires
                        $record.Description = $description
                        $record.Notes = $notes

                }
$record
}
####### Function to find all Privileged Groups in the Forest ##########
Function getForestPrivGroups
{
  # Privileged Group Membership for the following groups:
  # - Enterprise Admins - SID: S-1-5-21root domain-519
  # - Schema Admins - SID: S-1-5-21root domain-518
  # - Domain Admins - SID: S-1-5-21domain-512
  # - Cert Publishers - SID: S-1-5-21domain-517
  # - Administrators - SID: S-1-5-32-544
  # - Account Operators - SID: S-1-5-32-548
  # - Server Operators - SID: S-1-5-32-549
  # - Backup Operators - SID: S-1-5-32-551
  # - Print Operators - SID: S-1-5-32-550
  # Reference: http://support.microsoft.com/kb/243330

                $colOfDNs = @()
                $Forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest()
		$RootDomain = [string]($forest.rootdomain.name)
		$forestDomains = $forest.domains
		$colDomainNames = @()
		ForEach ($domain in $forestDomains)
		{
			$domainname = [string]($domain.name)
			$colDomainNames += $domainname
		}

                $ForestRootDN = FQDN2DN $RootDomain
		$colDomainDNs = @()
		ForEach ($domainname in $colDomainNames)
		{
			$domainDN = FQDN2DN $domainname
			$colDomainDNs += $domainDN
		}

		$GC = $forest.FindGlobalCatalog()
                $adobject = [adsi]"GC://$ForestRootDN"
        	$RootDomainSid = New-Object System.Security.Principal.SecurityIdentifier($AdObject.objectSid[0], 0)
		$RootDomainSid = $RootDomainSid.toString()
		$colDASids = @()
		ForEach ($domainDN in $colDomainDNs)
		{
			$adobject = [adsi]"GC://$domainDN"
        		$DomainSid = New-Object System.Security.Principal.SecurityIdentifier($AdObject.objectSid[0], 0)
			$DomainSid = $DomainSid.toString()
			$daSid = "$DomainSID-512"
			$colDASids += $daSid
			$cpSid = "$DomainSID-517"
			$colDASids += $cpSid
		}

		$colPrivGroups = @("S-1-5-32-544";"S-1-5-32-548";"S-1-5-32-549";"S-1-5-32-551";"S-1-5-32-550";"$rootDomainSid-519";"$rootDomainSid-518")
		$colPrivGroups += $colDASids

		$searcher = $gc.GetDirectorySearcher()
		ForEach($privGroup in $colPrivGroups)
                {
                                $searcher.filter = "(objectSID=$privGroup)"
                                $Results = $Searcher.FindAll()
                                ForEach ($result in $Results)
                                {
                                                $dn = $result.properties.distinguishedname
                                                $colOfDNs += $dn
                                }
                }
$colofDNs
}

########################## Function to Generate Domain DN from FQDN ########
Function FQDN2DN
{
	Param ($domainFQDN)
	$colSplit = $domainFQDN.Split(".")
	$FQDNdepth = $colSplit.length
	$DomainDN = ""
	For ($i=0;$i -lt ($FQDNdepth);$i++)
	{
		If ($i -eq ($FQDNdepth - 1)) {$Separator=""}
		else {$Separator=","}
		[string]$DomainDN += "DC=" + $colSplit[$i] + $Separator
	}
	$DomainDN
}

########################## MAIN ###########################
# Get the script path
$ScriptPath = {Split-Path $MyInvocation.ScriptName}
$ReferenceFile = $(&$ScriptPath) + "\PrivilegedUsers.csv"

$forestPrivGroups = GetForestPrivGroups
$colAllPrivUsers = @()

$rootdse=new-object directoryservices.directoryentry("LDAP://rootdse")

Foreach ($privGroup in $forestPrivGroups)
{
                Write-Host ""
		Write-Host "Enumerating $privGroup.." -foregroundColor yellow
                $uniqueMembers = @()
                $colOfMembersExpanded = @()
		$colofUniqueMembers = @()
                $members = getmemberexpanded $privGroup
                If ($members)
                {
                                $uniqueMembers = $members | sort-object -unique
				$numberofUnique = ($uniqueMembers | measure-object).count
				Foreach ($uniqueMember in $uniqueMembers)
				{
					 $objAttribs = getUserAccountAttribs $uniqueMember $privGroup
                                         $colOfuniqueMembers += $objAttribs
				}
                                $colAllPrivUsers += $colOfUniqueMembers
                }
                Else {$numberofUnique = 0}

                If ($numberofUnique -gt $MaxUniqueMembers)
                {
                                Write-host "...$privGroup has $numberofUnique unique members" -foregroundColor Red
                }
		Else { Write-host "...$privGroup has $numberofUnique unique members" -foregroundColor White }

                $pwdneverExpiresCount = 0
                $pwdAgeCount = 0

                ForEach($user in $colOfuniquemembers)
                {
                                $i = 0
                                $userpwdAge = $user.pwdAge
                                $userpwdneverExpires = $user.pWDneverExpires
                                $userSAM = $user.SAM
                                IF ($userpwdneverExpires -eq $True)
                                {
                                  $pwdneverExpiresCount ++
                                  $i ++
                                  If ($DetailedConsoleOutput) {Write-host "......$userSAM has a password age of $userpwdage and the password is set to never expire" -foregroundColor Green}
                                }
                                If ($userpwdAge -gt $MaxPasswordAge)
                                {
                                  $pwdAgeCount ++
                                  If ($i -gt 0)
                                  {
                                    If ($DetailedConsoleOutput) {Write-host "......$userSAM has a password age of $userpwdage days" -foregroundColor Green}
                                  }
                                }
                }

                If ($numberofUnique -gt 0)
                {
                                Write-host "......There are $pwdneverExpiresCount accounts that have the password is set to never expire." -foregroundColor Green
                                Write-host "......There are $pwdAgeCount accounts that have a password age greater than $MaxPasswordAge days." -foregroundColor Green
                }
}

write-host "`nComments:" -foregroundColor Yellow
write-host " - If a privileged group contains more than $MaxUniqueMembers unique members, it's highlighted in red." -foregroundColor Yellow
If ($DetailedConsoleOutput) {
  write-host " - The privileged user is listed if their password is set to never expire." -foregroundColor Yellow
  write-host " - The privileged user is listed if their password age is greater than $MaxPasswordAge days." -foregroundColor Yellow
  write-host " - Service accounts should not be privileged users in the domain." -foregroundColor Yellow
}

$colAllPrivUsers | Export-CSV -notype -path "$ReferenceFile" -Delimiter ';'

# Remove the quotes
(get-content "$ReferenceFile") |% {$_ -replace '"',""} | out-file "$ReferenceFile" -Fo -En ascii

Enjoy!

Jeremy Saunders

Jeremy Saunders

Technical Architect | DevOps Evangelist | Software Developer | Microsoft, NVIDIA, Citrix and Desktop Virtualisation (VDI) Specialist/Expert | Rapper | Improvisor | Comedian | Property Investor | Kayaking enthusiast at J House Consulting
Jeremy Saunders is the Problem Terminator. He is a highly respected IT Professional with over 35 years’ experience in the industry. Using his exceptional design and problem solving skills with precise methodologies applied at both technical and business levels he is always focused on achieving the best business outcomes. He worked as an independent consultant until September 2017, when he took up a full time role at BHP, one of the largest and most innovative global mining companies. With a diverse skill set, high ethical standards, and attention to detail, coupled with a friendly nature and great sense of humour, Jeremy aligns to industry and vendor best practices, which puts him amongst the leaders of his field. He is intensely passionate about solving technology problems for his organisation, their customers and the tech community, to improve the user experience, reliability and operational support. Views and IP shared on this site belong to Jeremy.
Jeremy Saunders
Jeremy Saunders

Previous post:

Next post: