Know your Admins

How did Mr Client reboot that server? What? When was he added to the Domain Admins group?? Hopefully you have never have had to experience such a problem, but in large organisations sometimes it is possible to lose track of who’s being added and removed and removed to privileged groups.

There are a few really important groups you should keep your eye on in Active Directory. They are:

  • Schema Admins
  • Enterprise Admins
  • Domain Admins
  • BUILTIN\Administrators

The first one allows anyone in that group to make changes to the underlying AD Schema, which if is not done ina controlled manner could mean bad things. Membership of the other 3 groups typically means Administrative rights over the entire AD Forest and computers/users/groups within it.

I have written a Powershell Script to keep an eyes on these 4 groups, that may be set up in a scheduled task.

Get the Script Here.

The script makes use of the Quest AD Management cmdlets which must be installed on your machine. Please make sure you edit the file locations and Domain in the script appropriately. You will also need to make sure the folder path exists before running.

In essence, the script does the following:

  1. Loads reference files, and if they do not exist, create them
  2. Obtains group memberships for the groups mentioned in the beginning of the post
  3. Compares against the reference file & outputs report
  4. Updates reference Files.


Daily Privileged Groups Changes – 11/06/2009 08:46:55

Domain Admin Changes



Enterprise Admin Changes

No Changes Detected

Schema Admin Changes

Group has no Members

Group Membership References – Previous Run

Domain Admins

<All members of this group now>

Schema Admins

<All members of this group now>

Enterprise Admins

<All members of this group now>


Updating Files

Domain Admins: D:\PowershellScripts\ADGroupCheck\files\DomainAdmins.txt

Schema Admins: D:\PowershellScripts\ADGroupCheck\files\SchemaAdmins.txt

Enterprise Admins: D:\PowershellScripts\ADGroupCheck\files\EnterpriseAdmins.txt

This script can then be run on a scheduled task by running a command like:

powershell D:\PowershellScripts\ADGroupCheck\ADGroupCheck.ps1 > D:\PowershellScripts\ADGroupCheck\files\output.txt

You could then have another command to email this to a particular person or maillist.

4 thoughts on “Know your Admins

  1. Pingback: Episode 120 – Alex Riedel on PrimalScript and Visual PowerShell « PowerScripting Podcast

  2. I am not able to download the powershell script from the location. Please provide the correct link

    Thanks a lot Ben.. Appricate the quick help.

    I have downloaded the file. I will check this script.

Comments are closed.