find when AD users were added or deleted from specific groups

Tagged: 

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Tim Pringle Tim Pringle 2 years, 3 months ago.

  • Author
    Posts
  • #18508
    Profile photo of Charles Hart
    Charles Hart
    Participant

    I have a project that I need to find anyone that has been added to or removed from an AD selected groups that begins in APP_RMS in the last three hours. I need to product a file the has this information group| sAMAccountName||date and time

    I know very little about AD and just a little more about powershell. I know this should be written in powershell, want to use only powershell and no outside tools like repadmin..

  • #18517
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Hi Charles,

    You'll need to query the Security event log of each domain controller in your domain for specific event IDs via the Get-EventLog or Get-WinEvent cmdlets because group membership changes can happen on any domain controller.

    4728/4729 > A member was added/removed to/from a security-enabled global group
    4732/4733 > A member was added/removed to/from a security-enabled local group
    4756/4757 > A member was added/removed to/from a security-enabled universal group
    4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
    4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
    4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

    An alternative to querying each domain controllers would be to setup an event collector on a central logging server and forward above events. Windows comes with the event collecting and forwarding functionality since Windows Server 2008.

    Best,
    Daniel

  • #18518
    Profile photo of Tim Pringle
    Tim Pringle
    Participant

    Hey Charles,

    The time that you mention, is this at the time in when the add/remove action occurred, or the time when the scan ran that detected the add/remove action?

    cheers,

    Tim

You must be logged in to reply to this topic.