I knew it would be a great learning opportunity when Francois-Xavier Cat Sir agreed to take me in his team for the Winter Scripting Games this year.
FX Sir posted about this great Script which will monitor your AD Group for any changes and then email you the changes if any.
You can find the blog post here
Now while reading the post I had a question...So I did comment on the post there:
Well until recently I found out that it could be done very easily.
So in today's blog post I will show how to trigger a PowerShell Script when a Group in AD is modified.
I got the answer to above question while reading this great book on WMI by Ravi Sir suggested to me by Laerte Junior Sir. You can find the book here
If you haven't guessed it by now the answer to making it possible is --- Wait for it "WMI Eventing".
I read this very cool thing on a blog:
"The M in WMI stands for Magic" - Kim Oppalfens
So without further delay let's dive into the stuff.
I have two Scripts in place..doing all this on my Domain Controller:
The Dex.ps1 creates a Event Filter and then creates a CommandLine Event Consumer and then finally binds those two together......Yeah and it uses CIM Cmdlets which makes life pretty easy.
Yay!! demo time:
I have a test group in my AD by the name "DexTestGroup" and it doesn't have any members yet ....see below:
Now let me setup the monitor for this Group before I do any changes:
All set .....let's add a User to this Group and see what happens:
I have shared this idea with FX Sir and he will soon be incorporating this stuff in his Monitor AD Script ...Monitor his blog for the new version of the Monitor AD Script ;)
This will be really cool as now you won't have to setup a task in Scheduler which runs every minute....Whenever there is a change it will just trigger the Script......awesome !
It is pretty amazing what you can achieve when you start using WMI Eventing...
Try out this stuff....you can make a lot of changes to the Script on your own and use it.
Let me know if you run into any problems !!
~Regards~
I got the answer to above question while reading this great book on WMI by Ravi Sir suggested to me by Laerte Junior Sir. You can find the book here
If you haven't guessed it by now the answer to making it possible is --- Wait for it "WMI Eventing".
I read this very cool thing on a blog:
"The M in WMI stands for Magic" - Kim Oppalfens
So without further delay let's dive into the stuff.
I have two Scripts in place..doing all this on my Domain Controller:
- Dex.ps1 -- Which will create the permanent Event Consumer to monitor the Group.
- Test.ps1 -- The Script which gets executed when the Event occurs.
To be more precise here the "Event" here is when the changes are made to the AD group (in my example "DexTestGroup") and this event will fire up our script Test.ps1 (for simplicity hardcoded this one).
So below is the Dex.ps1 which will take the Group name as an argument which needs to be monitored of the changes :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 3.0 | |
| [CmdletBinding()] | |
| PARAM( | |
| [Parameter(Mandatory,HelpMessage="You must specify at least one Active Directory group")] | |
| [ValidateNotNull()] | |
| [string]$Group #Can add validateScript to get a valid Group only...probably in next post | |
| ) | |
| Write-Verbose -Message " Creating the Filter to Monitor Group $Group" | |
| $hash = @{ | |
| QueryLanguage="WQL"; | |
| Query = "Select * From __InstanceModificationEvent Within 5 Where TargetInstance ISA 'ds_group' AND TargetInstance.ds_name = '$group'"; | |
| Name="DexFilter"; | |
| EventNameSpace="root/directory/LDAP" | |
| } | |
| try | |
| { | |
| $InstanceFilter = New-CimInstance -ClassName __EventFilter -Namespace root/subscription -Property $hash -Verbose -ErrorAction Stop | |
| } | |
| catch | |
| { | |
| Write-Error -Message "Something wen't wrong while creating Filter" | |
| } | |
| #region CommandLineEventConsumer | |
| Write-Verbose -Message " Creating the Consumer to fire up C:\test.ps1" | |
| $hash =@{ | |
| Name = "DexConsumer"; | |
| CommandLineTemplate="powershell.exe -file C:\test.ps1 -group $group"; | |
| } | |
| try | |
| { | |
| $instanceconsumer = New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $hash -Verbose -ErrorAction Stop | |
| } | |
| catch | |
| { | |
| Write-Error -Message "Something wen't wrong while creating Consumer" | |
| } | |
| #endregion | |
| #region create a binding between the Consumer and Filter | |
| Write-Verbose -Message "trying to bind the filter and consumer" | |
| try | |
| { | |
| $hash = @{ | |
| Filter = [ref]$InstanceFilter; #We have to pass a reference to the Filter and Consumer. | |
| Consumer=[ref]$instanceconsumer | |
| } | |
| $instancebinding= New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $hash -Verbose -ErrorAction stop | |
| } | |
| catch | |
| { | |
| Write-Error -Message "Something wen't wrong while creating the binding" | |
| } | |
| #endregion | |
| Write-Verbose -Message " Script Completed" |
Now I have a simple test.ps1 which doesn't do much ...have a look below
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PARAM([string]$Group) | |
| #Instead of this Script you can use the AD Monitor Script by Francois-Xavier Cat | |
| "" | Out-File C:\temp\dexter.log -Force #create an empty file | |
| Add-Content -Path C:\temp\dexter.log -Value "$(get-date)" | |
| Add-Content -Path C:\temp\dexter.log -Value "C:\test.ps1 writing Group param has value $group" | |
| Add-Content -Path C:\temp\dexter.log -Value "Magic happening" | |
| Add-Content -Path C:\temp\dexter.log -Value "Dexter You are awesome...hehehe ;)" |
The Dex.ps1 creates a Event Filter and then creates a CommandLine Event Consumer and then finally binds those two together......Yeah and it uses CIM Cmdlets which makes life pretty easy.
Yay!! demo time:
I have a test group in my AD by the name "DexTestGroup" and it doesn't have any members yet ....see below:
Now let me setup the monitor for this Group before I do any changes:
All set .....let's add a User to this Group and see what happens:
I have shared this idea with FX Sir and he will soon be incorporating this stuff in his Monitor AD Script ...Monitor his blog for the new version of the Monitor AD Script ;)
This will be really cool as now you won't have to setup a task in Scheduler which runs every minute....Whenever there is a change it will just trigger the Script......awesome !
It is pretty amazing what you can achieve when you start using WMI Eventing...
Try out this stuff....you can make a lot of changes to the Script on your own and use it.
Let me know if you run into any problems !!
~Regards~