A bit more of a complex monitor today! This monitor allows for the checking of all the members of any local group (domain groups will also work if done on a DC) and allow you to trigger an alert if accounts are found that shouldn’t be there. The biggest usage for this in my experience is detecting for users who have been accidentally added into “Remote Desktop Users” on a server – “Remote Desktop Users” is a group that exists by default on all Windows machines. It’s very easy when engineers are creating users that they accidentally add them to this group on a domain controller. This is what this monitor is detecting for:
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {$IgnoreTheseGroupsOrUsers = @(\"Administrator\", \"SBS Remote Operators\", \"Domain Admins\");$GroupName = \"Remote Desktop Users\";$Result = @();$Group = [ADSI]\"WinNT://$env:COMPUTERNAME/$GroupName,group\";$Members = @($group.psbase.Invoke(\"Members\"));$Members | foreach-object { $Result += $_.GetType().InvokeMember(\"Name\", 'GetProperty', $null, $_, $null)};$FinalResult = $Result | Where-Object {$IgnoreTheseGroupsOrUsers -notcontains $_};If($FinalResult){Write-Output (($FinalResult) -join \",\")}else{Write-Output \"No Accounts Found\"}}"
I would like to draw your attention to a few parts of this:
$IgnoreTheseGroupsOrUsers = @(\"Administrator\", \"SBS Remote Operators\", \"Domain Admins\")
If you are looking to EXCLUDE users or groups from the member results, you can add them here. Be sure to include the backslash to keep the ” escaped.
$GroupName = \"Remote Desktop Users\"
Can be changed if you have any specific uses where this would be helpful.
Leave A Comment