Author Posts

September 3, 2014 at 5:19 pm

I have a project that I need to find anyone that has been added to or removed from an AD selected groups that begins in APP_RMS in the last three hours. I need to product a file the has this information group| sAMAccountName||date and time

I know very little about AD and just a little more about powershell. I know this should be written in powershell, want to use only powershell and no outside tools like repadmin..

September 3, 2014 at 11:40 pm

Hi Charles,

You'll need to query the Security event log of each domain controller in your domain for specific event IDs via the Get-EventLog or Get-WinEvent cmdlets because group membership changes can happen on any domain controller.

4728/4729 > A member was added/removed to/from a security-enabled global group
4732/4733 > A member was added/removed to/from a security-enabled local group
4756/4757 > A member was added/removed to/from a security-enabled universal group
4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

An alternative to querying each domain controllers would be to setup an event collector on a central logging server and forward above events. Windows comes with the event collecting and forwarding functionality since Windows Server 2008.

Best,
Daniel

September 4, 2014 at 1:51 am

Hey Charles,

The time that you mention, is this at the time in when the add/remove action occurred, or the time when the scan ran that detected the add/remove action?

cheers,

Tim