Group Membership Tracking

Real-World Shell Scripting


If you manage a large environment, you've probably delegated responsibility for group memberships to administrators in your domain or organizational unit (OU). Ultimately, though, you're responsible if a user is granted too much access or access that's otherwise inappropriate.

In "Real-World Shell Scripting: Auditing the Membership of Privileged Groups," July 2002,, InstantDoc ID 25275, I described a script that lets you quickly perform a periodic audit of key local and global group memberships on your servers. That script gives you a good snapshot of group memberships for your quarterly audits, but it's not much help when you want to track day-to-day additions to and deletions from group memberships. Discovering a user account with authority that's too generous is important at audit time, but discovering potential problems sooner is better.

Comparing Lists
The GroupMembershipTracker.bat script, which you can find in the Code Library on the Windows Scripting Solutions Web site (, uses the Local and Global utilities from the Microsoft Windows 2000 Server Resource Kit or the Microsoft Windows NT Server 4.0 Resource Kit to periodically list a group's members. The script then compares that list with the previous list.

The code that performs the line-by-line comparison uses the Findstr command to determine whether the new file contains every line entry from the old file and whether the old file contains every line entry from the new file. If something doesn't match, someone has added or deleted a member and a notification event occurs. In addition to sending notification messages, GroupMembershipTracker .bat creates a running timestamped log, in case you need to review the entire history of changes. If no changes exist, no notification event is necessary.

This script assumes you're monitoring key administration groups as opposed to large groups with hundreds of members. The script can perform the latter task but can take a while to complete. Most domains or OUs contain 6 to 10 key groups, such as Domain Admins, OU Admins, GPO Admins, Local PC Admins, and other administrative groups that have sweeping domain powers and whose membership deserves constant attention.

Using Blat
Blat is a freeware utility that lets you send email messages from a command-shell script. In the case of GroupMembershipTracker.bat, Blat lets you send notification messages when any new group is added to the local or global group tracking lists. You can download Blat from For more information about Blat, see "Real-World Scripting: Using Blat to Send Email Notification Messages," November 2000,, InstantDoc ID 15848. The GroupMembershipTracker.bat code shows Blat syntax for SMTP servers that don't require authentication. Review the Blat documentation for information about the -u and -pw authentication switches.

Putting It Together
GroupMembershipTracker.bat is compatible with Windows XP, Win2K, and NT 4.0 systems. To get GroupMembershipTracker.bat running in your environment, perform the following set of steps:

  1. Copy the script into a dedicated folder on the server or workstation on which you plan to schedule the script to run.
  2. Determine the local and global groups that you need to monitor. Create localgroups.txt and globalgroups.txt input lists, and place these files in the folder that holds GroupMembershipTracker.bat. If you have all local and no global groups, or vice versa, you don't need to create an empty input file. If the script can't find an input file, it simply moves on to the other input file.
  3. Configure GroupMembershipTracker.bat for your environment. Listing 1 shows the code that you must change. First, configure the domain in which your local and global groups exist. If you want to track groups in more than one domain, you need to either run additional instances of the script or modify the code to handle additional domains. Next, at the top of the script, configure the To and From email addresses that Blat will use for the email notifications. For the email notification's To address, you can specify multiple recipients by separating the addresses from one another with a comma but no space. Finally, configure the SMTP server name that Blat will use to send the email notification.
  4. Verify that the script's utilities (i.e., now.exe, local.exe, global.exe, and blat.exe) reside in the folder from which the script will run. As Listing 2 shows, the script sets the folder location to the %~dp1 variable. The percent sign (%) specifies a replaceable parameter. The ~dp1 portion tells the scripting engine to capture the drive letter (d) and the path (p). If your script path is C:\AdminScripts\GroupMembershipTracker.bat, the %~dp1 variable contains the C:\AdminScripts folder location information. Thus, if your utilities aren't in the same location as the script or you want to locate input and output files elsewhere, you must modify the code in Listing 2 to point to the utilities' location. (For more information about the %~dp1 variable, see the Web-exclusive sidebar "Two Tricks for Your Scripting Toolbelt,", InstantDoc ID 38418.)
  5. Manually test the script to verify that it's capturing and logging group changes and properly sending email messages. The script creates a temporary file for each group that you've targeted for tracking so that it can compare past script run results with the next script run results. You might want to make your changes to one or two test groups so that you don't affect your production group memberships when you add and delete users to trigger messages.
  6. Determine how often you want the monitoring script to run. You could schedule it to run every few minutes, but once or twice a day is probably sufficient. Use Task Scheduler to schedule the script.

This script is primarily designed to identify unintentional group membership changes. If you're looking for security violations or patterns indicating intentional changes that might necessitate employee discipline or dismissal, you have some additional considerations. You would want to frequently run the script on a PC or server, and you would want to limit knowledge of the script's existence and location. If a user has Change access to the location of the group status files, he or she could potentially edit these files to mask user account additions and removals. To accurately track such intentional activities, you would definitely want to use the script in combination with auditing and Security event-log monitoring.

GroupMembershipTracker.bat can help you get a handle on your key group memberships. The potential for surprises at audit time will diminish, and you'll have an "extra set of eyes" for tracking group members to be sure that no security breaches occur because of incorrect group memberships in your domain or OU.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.