-
Notifications
You must be signed in to change notification settings - Fork 2
/
User Access Review.ps1
76 lines (64 loc) · 2.53 KB
/
User Access Review.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# ********************************************************************************
#
# Script Name: User Access Review.ps1
# Version: 1.0
# Author: Sheridan Wendt
# Date: 5/1/2018
# Applies to: Users
#
# Description: This script works along with the New User script by generating a
# text file that contains a user's group membership. A hash is generated of this
# text file and compared to the original list of group membership that was
# assigned to the user. If the hash does not match, an email is sent.
#
# ********************************************************************************
#Import Modules
Import-Module ActiveDirectory
#Set variables
$DTStamp = Get-Date -Format u | foreach {$_ -replace ":", "-"}
$Users = (get-aduser -Filter 'enabled -eq $true').samaccountname
$LogPath = "\\FileServer\User Access Review\$DTStamp"
$OriginalPath = "\\FileServer\Original Group Membership"
$ChangedUsers = @()
# Create dated folder for logs
New-Item -ItemType directory -Path "$LogPath" | Out-Null
Test-Path $LogPath | Out-Null
# Define function to check user groups and add changed users to an array
Function Review_Access {
foreach ($User in $Users) {
#Set Variables
$UserGroups = (Get-ADPrincipalGroupMembership $User).name | sort
$Global:ReviewedLog = "$LogPath\$User $DTStamp.txt"
#Create log file for User Access Review purposes
Add-Content "$ReviewedLog" @"
User:
$User
Groups:
$UserGroups
"@
$OriginalLog = "$OriginalPath\$User.txt"
$HashMatch = (Get-FileHash "$ReviewedLog" -Algorithm SHA1).hash -eq (Get-FileHash "$OriginalLog" -Algorithm SHA1).hash
if ($HashMatch -eq $false){
$Global:ChangedUsers += "$User"
}
}
}
# Execute Review_Access function
Review_Access
# Email variables
$ErrorFile = "$LogPath\$DTStamp.txt"
$SMTPServer = "9.9.9.9"
$From = "UserAccessReview@domain.com"
$To = "ServiceDesk@domain.com", "SecurityTeam@domain.com"
$Subject = "User Access Review: $DTStamp"
$Body = @"
Team,
The User Access Review has been completed. If any user's security groups have changed they will be listed below.
Please look at the following user's permissions to ensure they are still correct:
__$ChangedUsers __
If no users are listed above, no users have had their security groups change.
IT Department
Notification Automatically Generated by User Access Review.ps1 on server.domain.com
"@
# Send email notification that the user access review has been completed
Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject $Subject -Body $Body