I have a project that I need to find anyone that has been added to or removed from an AD selected groups that begins in APP_RMS in the last three hours. I need to product a file the has this information group| sAMAccountName||date and time
I know very little about AD and just a little more about powershell. I know this should be written in powershell, want to use only powershell and no outside tools like repadmin…
Hi Charles,
You’ll need to query the Security event log of each domain controller in your domain for specific event IDs via the Get-EventLog or Get-WinEvent cmdlets because group membership changes can happen on any domain controller.
4728/4729 > A member was added/removed to/from a security-enabled global group
4732/4733 > A member was added/removed to/from a security-enabled local group
4756/4757 > A member was added/removed to/from a security-enabled universal group
4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)
An alternative to querying each domain controllers would be to setup an event collector on a central logging server and forward above events. Windows comes with the event collecting and forwarding functionality since Windows Server 2008.
Best,
Daniel
Hey Charles,
The time that you mention, is this at the time in when the add/remove action occurred, or the time when the scan ran that detected the add/remove action?
cheers,
Tim