ADSpider: monitor Active Directory changes in real time

ADSpider

Tool for monitoring Active Directory changes in real-time without getting all objects. Instead, it uses replication metadata and Update Sequence Number (USN) to filter the current properties of objects.

How to use

git clone https://github.com/DrunkF0x/ADSpider.git

PowerShell module for Active Directory

Just run the module in the powershell session from the domain user. For better performance use domain controller FQDN instead of IP address.

Import-module .\ADSpider.ps1
Invoke-ADSpider -DC DC01.domain.com

Non-domain computer

Start a powershell session with a domain user with runas. Check that the domain controller is accessible. For better performance use domain controller FQDN instead of IP address.

## From cmd or powershell
runas /netonly /u:domain.com\MyUser powershell
## From powershell
Import-module .\ADSpider.ps1
Invoke-ADSpider -DC DC01.domain.com

Parameters

DC – domain controller FQDN.
Formatlist – output in list instead of table.
ExcludelastLogonTimestamp – exclude lastLogonTimestamp events from output
DumpAllObjects – dump all active directory before start. In case of changes It will show you all previous values. But in large domains use it on your own risk (time and resource consuming).
Short – in output will be only AttributeName, AttributeValue, LastOriginChangeTime and Explanation.
Output – create XML file with all output.
ExcludeObjectGUID – exclude Active Directory object with specific GUID.
Sleep – time interval between requests for USN number. By default – 30 seconds.
USN – specify started USN.
DisplayXML – display previous captured XML file.

Source: https://github.com/DrunkF0x/