users added to group last month [SOLVED]

by lopyeg at 2013-02-06 00:58:42

Hello, guys.
Please help me in the task of listing AD user, who were added to AD group at last month.

I think it is poosible, but not with my level of PoSh

Thank you a lot for the help.
my approtiations
by Klaas at 2013-02-06 03:17:31
I can’t find a property that keeps this information. Do you know the name of such a property and to which object it belongs?
by lopyeg at 2013-02-06 03:39:38
No I don’t(
I have tried memberof property searching, get-adgroupmember | gm - nothing helped
I hope that forum’s guru will help
by lopyeg at 2013-02-06 03:55:23
but then i input Get-ADGroupMember GROUPNAME | ft name
it returns me the list of users not in alphabetic sort… i guess it is the order of adding to group
so PC knows the time of adding, isnt it?
by Klaas at 2013-02-06 04:11:32
I don’t think so. The default order is probably on SID or objectGUID of the user.
If there’s no property to use, I guess you have to collect group membership now and compare with the outcome a month from now.
by lopyeg at 2013-02-06 05:17:28
may be you are right. i’ve added some new users and their are not in the end of the list((( it was an encouraging idea…
it’s a pity

thanks for responses.
by ArtB0514 at 2013-02-06 08:48:58
AD records the date-time that an object is changed, but not the details of the change. They are stored in the Security event log on the domain controller. A log collection utility would be very helpful here, but you can do it in PowerShell. Here’s a snippet of code that collects the change data:
$SavedData = @()
$Since = (Get-Date).AddDays(-1).Date
$filter = @{LogName=‘Security’;StartTime=$Since}
Get-WinEvent -FilterHashTable $filter | Where-Object {$.TaskDisplayName -Match “Changes|Management”} | foreach {
$msg = $
.Message -Split “n&quot; | Where-Object {$_.Trim&#40;&#41;.Length -gt 1}<br> $aValues = @&#40;&#41;<br> for &#40;$i=1;$i-lt $msg.Count;$i++&#41; {If &#40;$msg[$i] -notmatch &#39;Attribute&#39;&#41; {aAValues += $msg[$i].Replace&#40;&quot;t”,’ ')} else {Break}}
$cValues = @()
If ($i -lt $msg.Count) {For ($i;$i-lt$msg.Count;$i++) {$cValues += $msg[$i].Replace(“t&quot;,&#39; &#39;&#41;}}<br> $SavedData += New-Object PsObject -Property @{<br> &#39;Time&#39; = get-date -date $_.TimeCreated -Format G<br> &#39;Server&#39; = &#40;$_.MachineName.Substring&#40;0,$_.MachineName.IndexOf&#40;&#39;.&#39;&#41;&#41;.ToUpper&#40;&#41;&#41;<br> &#39;Event ID&#39; = $_.ID<br> &#39;Category&#39; = $_.TaskDisplayName<br> &#39;Level&#39; = $_.LevelDisplayName<br> &#39;Status&#39; = $_.KeywordsDisplayNames[0]<br> &#39;User&#39; = $_.UserID<br> &#39;Change&#39; = $msg[0]<br> &#39;Change Details&#39; = $aValues -Join &quot;n”
‘Changed Attributes’ = $cValues -Join “`n”

You’ll need to collect the data from every domain controller in the network, since event logs aren’t replicated by default. Also, you need to know how frequently the Security log rolls over and run the collection before that happens.
by lopyeg at 2013-02-06 23:40:17
thanks for the script.
i will try it…i dont know if i have a access right to view logs(dc is on remote side…)

thank for the help. ArtB0514