Audit PowerShell changes in AD

How do you capture and analyze what your (or other administrators’) PowerShell scripts are doing to your Active Directory?

This was the question I lately got from one of our customers so I thought I would also blog my answer for everyone’s benefit.

If this kind of auditing is something that you need – you can fairly easily achieve it by making AD cmdlets access Active Directory via Quest ActiveRoles Server.

Basically, AD cmdlets have a mode (which you can for example switch on in your PowerShell profile) to apply all changes to AD via ActiveRoles proxy, which would then apply all you policies, approvals, and auditing to all changes – no matter where they originate from: UI, command-line, or scripts:

AD cmdlets and Quest ActiveRoles Server

So for example, if I change phone number for all users from Portland:

Change phone number with PowerShell

ActiveRoles will start showing this change in the change history for each of these accounts (including old value, new value, date, time, who made the change and so on):

See AD object change history

The same information gets also output to Windows event log:

AD change events in eventlog

It also becomes available in SQL Reporting Services reports – so you can sort, filter, export to various formats and so on:

AD object change report

Note that unlike QAD cmdlets this is actually a commercial product so there is cost involved. You can get a trial license from the product page. If you are a Microsoft MVP you can also get a free NFR license by applying here.

Tags: , , , , , ,

3 Responses to “Audit PowerShell changes in AD”

  1. 1 Rick August 5, 2009 at 7:52 pm

    Hi Dmitry,

    Great post. Now that NetPro is Quest. I am curious about the road map of technologies that seem to be overlapping from former NetPro’s Change Auditor to Quest Active Roles.


  2. 2 Dmitry Sotnikov August 6, 2009 at 8:03 pm


    Yep, Change Auditor is a great product and one of the jewels Quest got by acquiring NetPro. There is integration work on the ways to integrate with relevant Quest offerings so stay tuned. 🙂


  1. 1 Auditing the PowerShell AD CMDLETS! | Bob's Identity & Access Blog Trackback on July 5, 2013 at 5:29 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2009

%d bloggers like this: