I have a project that I need to find anyone that has been added to or removed from an AD selected groups that begins in APP_RMS in the last three hours. I need to product a file the has this information group| sAMAccountName||date and time
I know very little about AD and just a little more about powershell. I know this should be written in powershell, want to use only powershell and no outside tools like repadmin..
You'll need to query the Security event log of each domain controller in your domain for specific event IDs via the Get-EventLog or Get-WinEvent cmdlets because group membership changes can happen on any domain controller.
4728/4729 > A member was added/removed to/from a security-enabled global group
An alternative to querying each domain controllers would be to setup an event collector on a central logging server and forward above events. Windows comes with the event collecting and forwarding functionality since Windows Server 2008.
The time that you mention, is this at the time in when the add/remove action occurred, or the time when the scan ran that detected the add/remove action?
You must be logged in to reply to this topic.