When you add a user to a group (and the user re-logs on), the user acquires additional permissions and rights. That may be a good thing! Group membership enables the user to perform job-related duties. However, adding the user to the Enterprise Admins
group, for example, provides that user with rights over most of your forest. A user who acquires the membership to such high privilege groups may not have benign intentions and could represent a serious risk. The report you generate using this recipe shows the privileged users and any changes that someone has made to the group membership.
- Create an array for privileged users:
$PUsers = @()
- Query the
Enterprise Admins
/Domain Admins
/Scheme Admins
groups for members and add to the$Pusers
array:
# Enterprise Admins$Members = Get-ADGroupMember ` -Identity 'Enterprise Admins' -Recursive |Sort-Object -Property Name$PUsers += foreach...