VBScript to check membership of privileged groups

This is a variation of a script I posted a few weeks ago which outputs the membership of a multiple AD groups. In short, I was asked to put a script together which would gather the group memberships of various privileged groups within our organisation for audit purposes, for example Domain Admins, Exchange Admins, various support groups which have raised access etc.

As this kind of information is pretty useful for reviewing to check if and how group memberships have changed over time, I wanted to amend the original script to ensure that no older data was lost. In order to accurately pinpoint when a historical log had been created, it made sense to use the creation date of the most recent file to generate the timestamp for archiving the older data. In this way, we can simply check the older files in filename order to see how they’ve changed over time.

It’s a simple task to comment out all the echo statements to enable this script to run as a scheduled task. In future I will be aiming to automate checking of the most recent file against the previous one and generating some kind of alert when group memberships have changed, this will take some time though so don’t expect it any time soon!

As with the script this has been adapted from, you’ll need to create a source file containing the FQDN’s of each group you want to audit. If anyone needs any more details, drop me a message in the replies and I’ll try and answer it as soon as I can!

WARNING – be careful adding an “on error” statement with this one – if there’s no groups file it can create an infinitely large text file full of carriage returns. I’ve put a check in for the groups file deliberately to guard against this but it could cause issues on a production server if you omit this section for any reason…

' VBscript to output group membership of privileged AD groups
' Put list of groups' FQDNs in C:\temp\privileged.txt
' Results will be output to C:\temp\privileged_group_membership.txt

' Set variables and define constants

Dim fso
Dim objReadFile
Dim objWriteFile
Dim strOutputFile
Dim strOldFile
Dim strGroupsFile
Dim strGroup
Dim strGroupFQDN
Dim strUsername
Dim WshShell

Const ForReading = 1
Const ForAppending = 2
Const ForWriting = 8

strGroupsFile = "C:\temp\privileged_groups.txt"
strOutputFile = "C:\temp\privileged_group_membership.txt"

Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("WScript.Shell")

' Check for groups file, quit if it doesn't exist.

If Not fso.FileExists(strGroupsFile) Then
	Wscript.Echo "No groups file available."
	Wscript.Quit
End If

' Check for previous results file, rename with datestamp to prevent overwriting audit information

If fso.FileExists(strOutputFile) Then
	Set strOldFile = fso.GetFile(strOutputFile)
		createdate = strOldFile.DateCreated

	strDay = Day(createdate)
	strMonth = Month(createdate)
	strYear = Year(createdate)

	If len(strDay) < 2 Then
		strDay = "0" & strDay
	End If

	If len(strMonth) < 2 Then
		strMonth = "0" & strMonth
	End If

	strNewFileName = "C:\temp\privileged_group_membership_" & strYear & strMonth & strDay & ".txt"
	fso.MoveFile strOutputFile, strNewFileName
End If

' Open privileged groups file and create output file

Set objReadFile = fso.OpenTextFile(strGroupsFile, ForReading)
Set objWriteFile = fso.OpenTextFile(strOutputFile, ForAppending, True)

objWriteFile.Write "Membership of privileged groups as of " & Time & " on " & Date & vbCrLf & vbCrLf & vbCrLf

' Query AD for membership of each group specified in the privileged groups file and 

Do until objReadFile.AtEndOfStream
	strGroupFQDN = objReadFile.ReadLine
	Set objGroup = GetObject("LDAP://" & strGroupFQDN)
	arrMemberOf = objGroup.GetEx("member") 
	objWriteFile.Write "Group: " & strGroupFQDN & vbCrLf & vbCrLf
	For Each strMember in arrMemberOf 
		Set strUsername = GetObject("LDAP://"  & strMember)
		If len(strUsername.sAMAccountName) < 8 Then
			objWriteFile.Write strUsername.sAMAccountName & vbTab & vbTab & strMember & vbCrLf
		Else
			objWriteFile.Write strUsername.sAMAccountName & vbTab & strMember & vbCrLf
		End If
	Next
	Set objGroup = Nothing
	objWriteFile.Write vbCrLf & vbCrLf
Loop

' Close open objects and quit script.

Wscript.Echo "Script complete."

objReadFile.Close
objWriteFile.Close

Wscript.Quit