There are more than 600 PowerShell cmdlets that ship with Active Directory PowerShell modules. You can use these Active Directory PowerShell cmdlets to query information from Active Directory domains.
One of the tasks an Active Directory administrator continually performs is ensuring the membership of critical security groups remains intact and there are no unwanted users added to critical groups. For example, critical security groups such as Domain Admins, Backup Operators, Administrators, Account Operators, Schema Admins and Enterprise Admins will always need to have a list of users that are approved.
In order to avoid potential risks and issues in the Active Directory environment, unapproved users should not be part of these security groups. For example, anyone who is a member of Domain Admins will have full control over the domain and will be able to perform any unwanted actions that might lead to the unstable operation of the Active Directory.
In today’s Server Tutorial, we’ll be providing a PowerShell script that can help you collect the count of critical security groups. This script uses the
Get-ADGroupMemberPowerShell cmdlet, which is available by default on a domain controller and on any member server that has Active Directory PowerShell modules installed.
However, before you plan to execute the script, prepare your AD environment and script location by following these steps:
First, create a file in the C:Temp folder and list each of your critical security groups one per line. For testing purposes, we have created a file named
Make sure to list the Domain Admins, Backup Operators, Administrators, Account Operators, Schema Admins and Enterprise Admins security group names in the file. The resulting file should look like as shown in the screenshot below:
- Now install Active Directory PowerShell modules on a member server by using the Server Manager.
- Change the $CurForestName variable to include your Active Directory forest name. The current Active Directory Forest name used in the script is “ServerWatch.com”.
- Create a file under “
C:TempGDomList.TXT” and specify the domain names one per line. Note that the script will connect to each Active Directory domain ir order to collect the group membership count.
Tip: Since “Schema Admins” and “Enterprise Admins” security groups are located in the root domain of the Active Directory forest, the script is able to identify the “Enterprise Admins” and “Schema Admins” security groups and then connect to the root of the Active Directory domain to collect the group membership count.
Once you have completed the above steps, you can execute the PowerShell script below from an elevated PowerShell Window.
>$TestCSVFile = "C:TempGroupMemReport.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString=”Security Group, Total Members, In AD Domain,Final Status”
Add-Content “$TestCSVFile” $ThisString
$GDomList = “C:TempGDomList.TXT”
$CurForestName = “ServerWatch.com”
$ErrorOrNot = “No”
$AnyGap = “No”
Foreach ($ItemName in Get-Content “$GrpMem”)
IF ($ItemName -eq “”)
ForEach ($DomainName in Get-Content $GDomList)
IF ($ItemName -eq “Schema Admins” -or $ItemName -eq “Enterprise Admins”)
$TotMems = Get-ADGroupMember -Identity “$ItemName” -Server $CurForestName -ErrorAction SilentlyContinue
$TotMems = Get-ADGroupMember -Identity “$ItemName” -Server $DomainName -ErrorAction SilentlyContinue
$TotNowCount = $TotMems.Count
IF ($TotNowCount -gt 20)
$FinStatus = “Too many members in Administrative Security Group.”
$AnyGap = “Yes”
Add-Content “$TestCSVFile” $FinalVal
IF ($AnyGap -eq “Yes”)
$TestText = “Administrative Security Groups contain more than 20 members. It is recommended to keep lesser number of members to avoid any crisis in Active Directory environment. Please remove members those are not required and are no longer active.”
IF ($AnyGap -eq “No”)
$TestText = “Administrative Security Groups contain less than 20 members.”
$SumVal = “”
Once the script has finished executing, you should see a CSV report in the C:Temp folder as shown in the screenshot below:
As you can see in the report above, the script checked all the security groups specified in the
C:TempDomainGRPCount.DPCfile and reported the status for each security group. The script checks to see if any critical security group contains more than 20 members in it.
For each critical group that has more than 20 members, it shows “Too Many Members in Administrative Security Group” message in the “Final Status” column. If you would like to change the “20” value to a value of your choice, simply modify “IF ($TotNowCount -gt 20)” line in the script.
This script is part of PowerShell-based Dynamic Packs that ship with the Active Directory Health Profiler, which you can use to perform a complete health check of an Active Directory forest. There are 99 health checks included in the AD Health Profiler.
By using this Active Directory PowerShell script, you’ll get a helpful report listing the number of members in each critical security group you specify in the “
C:TempDomainAdminGRP.DPC” file. You can schedule this script on a member server and have it run daily to help you monitor and maintain the group membership numbers for critical security groups in Active Directory.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at firstname.lastname@example.org.