Retrieving time stamp of when a user was added to a group

by bdizzle at 2013-03-01 10:51:41

I’m trying to retrieve from AD the timestamp that shows when a user was added to a group. I know repadmin /showobjmeta will give me that data, but I’m not sure how to store the data as an object since I’m calling an external exe from withing powershell.

Any help will be appreciated
by coderaven at 2013-03-01 12:34:28
So are you wanting to do this for a long period of time or just this one time?

My approach would be to make sure that Audit Account Management enabled in your audit policy so you are logging the correct messages. After that you can use PowerShell to search through the security log on the domain controllers looking for the different event IDs that pertain to group membership. Further you can filter the message detail for a particular group or user. Keep in mind, that if you do something like this, you have to look at every DC and your history would depend on many factors.

If repadmin is truly giving you what you want, can you give me a little more of the process?
by bdizzle at 2013-03-04 07:15:33
I’ve figured out how to retrieve the timestamp for the objects by looking at the msDS-ReplValueMetaData in AD. I’m having another issue now. When I run repadmin /showobjmeta for certain groups, this is the output I get:

Type Attribute Last Mod Time Originating DSA Loc.USN Org.USN Ver Distinguished Name

======= ============ ========= ==== ===================== ======= ======= === ===================================

ABSENT member 2013-03-01 13:19:56 Site\DC01 144524860 477402802 8 CN=User1,OU=Accounts,DC=corp,DC=com

PRESENT member 2012-10-28 00:11:43 Site\DC02 177210627 319837093 1 CN=User2,OU=Accounts,DC=corp,DC=com

After some research it seems type absent means the object has been tombstoned, and I’d like to return that type programatically, but I’m not sure how to retrieve it. Here’s the code I have so far:

$csv = @("group1", "group2")
$outputObjects = @()
foreach ($group in $csv) {

$Identity = Get-ADObject -Identity (Get-ADGroup -Identity $group)
$ConfigNCDN = (Get-ADRootDSE).ConfigurationNamingContext
$SchemaNCDN = (Get-ADRootDSE).SchemaNamingContext
$ObjectDN = $Identity.DistinguishedName
[string]$xmlString = (Get-ADObject -Filter ‘distinguishedName -eq $ObjectDN’ -properties "msDS-ReplValueMetaData")."msDS-ReplValueMetaData"
$xmlObj = [xml]("<root>"+$xmlString.Replace([char]0," ")+"</root>")

foreach ($user in $xmlObj.root.DS_REPL_VALUE_META_DATA) {
#Check to see if the group in $csv is empty
if ((Get-ADGroup $ -Properties members).members.count -eq 0) {

else {
$tmpUser = Get-ADUser -Identity $user.pszObjectDn

try {
Get-Mailbox $user.pszObjectDn -ErrorAction:stop | Out-Null
$errStatus = "success"

catch {
$errStatus = "fail"

write-host "user added at" $user.ftimeCreated