Saturday, June 18, 2016

Check Distribution Groups Created

Some organizations provide self-service for Distribution Groups (DG), that is, users are able to create DGs that are available in the Global Address List for everyone to use. Even if an organization does not have a naming convention in place, it is always important to keep an eye on what DGs are created in case a user creates one that is not acceptable.

To do this, we can use the Get-DistributionGroup cmdlet together with the WhenCreated parameter to search for DGs created in the last week, for example. However, using this cmdlet we can see who the DG’s manager is but not exactly who created it. So, we need to use the Admin Audit Logs feature already covered in some tips and articles at such as the Administrator Audit Logging article by Neil Hobson. Since we will be relying on this feature, it is important that it is enabled and that we keep these logs for as long as we need to.

Another advantage of using these logs, is that we can check for DGs that were created and subsequently deleted!

The following basic script will search the Admin Audit Logs for any DG created and return some information about it such as when it was created, by whom and its display name:
Param (
 [Parameter(Position = 0, Mandatory = $False)]
 [String] $From = "01/01/2016"

[Array] $DGs = @()

Search-AdminAuditLog -StartDate $From -Cmdlets New-DistributionGroup | Sort RunDate | % {
 $DG = $_.ObjectModified.Split("/")
 $DG = $DG[$DG.count - 1]

 $user = $_.Caller.Split("/")
 $user = $user[$user.Count - 1]
 $userDN = (Get-Mailbox $user).DisplayName

 $DG = New-Object PSObject -Property @{
  Date  = $_.RunDate
  UserAlias = $user
  UserDN  = $userDN
  DG  = $DG

 $DGs += $DG


$DGs | Sort Date | FT Date, UserAlias, UserDN, DG -AutoSize

For a more complete report, please check my Exchange Distribution Group Creation Report article on which generates an HTML report similar to:

No comments:

Post a Comment