Weekly Active Directory Audit Report PowerShell

Recently a request came in from our security team to audit recently create, deleted AD object, accounts due to expire (this is for third party users) and modified / created group policy objects so that they would be able to trace the changes happening in Active Directory.

I decided to write a PowerShell script that will export the required information and then send a the csv export to the user that require the information.

This could also be used to import the data to a dashboard by either using the CSV files or if the dashboard can use direct PowerShell script like PowerBI.

First there are some mandatory parameters. Exportpath and domain.

To allow the script to be run without emailing the csv I have left the smtpserver, to and from address as not mandatory parameters.

The script used two different modules

Group Policy:


To install these go on a Windows server go to add roles and features and select Group policy Management

and under RSAT enabled the Active Directory module.

Once all the features are enable we can run the script.

I have set the default time to last 7 days but if you want to go back further then update the date value.

To run the script so that it just export local without email the reports use the below.

.\WeeklyAD_AuditReport_V1.ps1 -exportPath c:\Temp\AD_Audit\ -domains domian.local

To email the report use the below

.\WeeklyAD_AuditReport_V1.ps1 -SMTPServer mailserver.domain.local -toAddress administrator@domain.local -FromAddress ADreport@domain.local -exportPath c:\Temp\AD_Audit\ -domains domian.local

Once the script completes we can check that the csv files have been created.

If the SMTP server parameter is set, the script will send a email and add the csv as attachments.

Below is what the outputs should look like.


Deleted Objects:

Account expire:

The full script can be downloaded from the below link to my GitHub.

Scripts/ActiveDirectory/WeeklyReport at master · TheSleepyAdmin/Scripts (github.com)

The script can then be set to run as a scheduled task to run on a weekly scheduled.

4 thoughts on “Weekly Active Directory Audit Report PowerShell

  1. Great report! How can I add a filter for a specific OU or Security Group to run this report against? I only need events from that group. For the Parameters, what format do I put in my domain specific information in that section of the script? Thanks!


    1. Hi Kyle

      Sorry for the late reply I was off the last week. If you want to search a specific OU you can add the -SearchBase and then added the OU. It would need to be added to each get-adobject and get-aduser command, the get-gpo command doesn’t have that parameter so can’t be used with that. Not sure what part you want to filter by group though.


  2. How would you add who created an Active Directory object within the report? The name,type,and when are listed but it would be nice to have which user created the object/deleted an object.


    1. Hi Vincent

      The details of the users that create or deleted and object is audited as a windows event and not logged to AD. This can be done but it would be a bit difficult as auditing needs to be enabled on the domain controllers and event is only logged on the DC that the change is made on.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s