Powershell monitor for changes to Active Directory protected objects (domain admin et al)

Here's a real quick powershell monitor to check for changes to your Active Directory protected objects 

It takes every item where the attribute 'admincount' has been set to '1' and compares it's metadata attribute of LastOriginatingChangeTime for recent (within the past hour) changes.

Core script cribbed wholesale from here : http://blogs.technet.com/b/ashleymcglone/archive/2014/12/17/forensics-monitor-active-directory-privileged-groups-with-powershell.aspx

A breakdown of Protected Groups and the admincount attribute can be found here : AdminSDHolder, Protected Groups and SDPROP

The server 2008R2 protected groups are:

Account Operators

Administrator

Administrators

Backup Operators

Domain Admins

Domain Controllers

Enterprise Admins

Krbtgt

Print Operators

Read-only Domain Controllers

Replicator

Schema Admins

Server Operators

And any other objects that you've set the admincount flag to 1.

Two flaws with this incarnation is the domain controller has to be hard coded as well as the number of hours back to search for changes.   I have yet to figure out how to get a powershell monitor to accept parameters from the script arguments field. 

Three flaws - needs better error handling.

  (que fanatical devotion to the Pope, et al)

Any and all suggestions would be appreciated.  All kudos go to the inestimable Ashley McGlone, a man whose powershell efforts have made me look far, far smarter than I am.

<# Monitor privileged accounts in AD

Cribbed from

http://blogs.technet.com/b/ashleymcglone/archive/2014/12/17/forensics-monitor-active-directory-privileged-groups-with-powershell.aspx

 

Requires AD module for windows powershell

#>

 

$Server = 'DOMAINCONTROLLER' # (Get-ADDomainController -Discover | Select-Object -ExpandProperty HostName)        

$Hour = 1

 

$ProtectedGroups = Get-ADGroup -Filter 'AdminCount -eq 1' -Server $Server           

$Members = @()

 

ForEach ($Group in $ProtectedGroups) {           

        $Members += Get-ADReplicationAttributeMetadata -Server $Server `

            -Object $Group.DistinguishedName -ShowAllLinkedValues |           

         Where-Object {$_.IsLinkValue} |           

         Select-Object @{name='GroupDN';expression={$Group.DistinguishedName}}, `

            @{name='GroupName';expression={$Group.Name}}, *           

        }

 

$Results = ($Members |  Where-Object {$_.LastOriginatingChangeTime -gt (Get-Date).AddHours(-1 * $Hour)} | Select-Object -ExpandProperty GroupName )         

 

If ($Results.count -eq 0) {

     Write-Host "Message: No changes detected on privileged AD accounts."

     Write-Host "Statistic: 0"

     exit 0

    } else {

     Write-Host "Message: Change detected on the following privileged AD account(s) : $Results."

     Write-Host "Statistic: 1"

     exit 0

    }