How do you capture and analyze what your (or other administrators’) PowerShell scripts are doing to your Active Directory?
This was the question I lately got from one of our customers so I thought I would also blog my answer for everyone’s benefit.
If this kind of auditing is something that you need – you can fairly easily achieve it by making AD cmdlets access Active Directory via Quest ActiveRoles Server.
Basically, AD cmdlets have a mode (which you can for example switch on in your PowerShell profile) to apply all changes to AD via ActiveRoles proxy, which would then apply all you policies, approvals, and auditing to all changes – no matter where they originate from: UI, command-line, or scripts:
So for example, if I change phone number for all users from Portland:
ActiveRoles will start showing this change in the change history for each of these accounts (including old value, new value, date, time, who made the change and so on):
The same information gets also output to Windows event log:
It also becomes available in SQL Reporting Services reports – so you can sort, filter, export to various formats and so on:
Note that unlike QAD cmdlets this is actually a commercial product so there is cost involved. You can get a trial license from the product page. If you are a Microsoft MVP you can also get a free NFR license by applying here.