Use PowerShell and Repadmin to Check for Updates to High Privileged Groups

To compliment their AD object auditing, one of my customers asked for a script sample to demonstrate an immediate analysis of membership updates to high privileged groups. Before I embarked upon a nice bit of scripting, I had a quick look to see if anyone had already produced something along those lines. My search quickly turned up this excellent post by Mr Ashley McGlone, aka Goatee PFE:

Forensics: Monitor Active Directory Privileged Groups with PowerShell

Please have a read before continuing...

 

Welcome back!

Unfortunately, my customer can't use the Active Directory Replication cmdlets introduced in Windows Server 2012. I needed to adapt Ashley's function to work with Windows Server 2008 R2. Here's what I did...

Normally, I wouldn't advise using executables with PowerShell unless you really have to. In this instance, given the information that repadmin /showobjmeta provides, there's justification. However, this would mean parsing text rather than dealing with objects... but, if I'm honest, I thoroughly enjoyed the process - 'twas tinged with nostalgia!

 

Ode to Text

Ah, text and AWK,

How I miss thee.

Sed memory:

Sweet reverie.

Eh? Oh, yeah. I adapted Ashley's function to work with repadmin. Here's my version:

Get-ADPrivilegedGroupUpdates Function (featuring Repadmin.exe)

repadmin helpfully identifies the 'type' of group members:

  • LEGACY - this indicates that the member does not support LVR - see here for more information.
  • ABSENT - this indicates that the member has been deleted from the group and is tombstoned
  • PRESENT - this indicates that the member is a member of the group

 

Using the 'type' information I can report on whether a member has been added, removed or if the group contain non-LVR members.

Speaking to Ashely once I'd finished, he pointed me in the direction of another excellent post:

Constructed Properties and LVR (Linked-Value Replication)

 

Now, I must admit, I wasn't aware of the constructed attribute msDS-ReplValueMetaData. I've come across a few other constructed attributes, but not that one. Had I known about it, I wouldn't have gone down the repamin route (despite the Joy of Text). Anyway, let's take a closer look:

(Get-ADGroup -Identity "Schema Admins" -Properties msDS-ReplValueMetaData)."msDS-ReplValueMetaData" | Select -First 1

 

Each member value has its replication metadata stored in XML format for easy parsing. Not only could I use the XML child nodes to work out if the group had been updated in the allotted time frame by using Ashley's comparison, I could also use the fTimeDeleted and fTimeCreated values to work out if a member had been added or removed. Man, more reasons to love PowerShell.

At some point I'll write a new function to make use of msDS-ReplValueMetaData.