find when AD users were added or deleted from specific groups

This topic contains 2 replies, has 3 voices, and was last updated by  Tim Pringle 3 years, 2 months ago.

  • Author
    Posts
  • #18508

    Charles Hart
    Participant

    I have a project that I need to find anyone that has been added to or removed from an AD selected groups that begins in APP_RMS in the last three hours. I need to product a file the has this information group| sAMAccountName||date and time

    I know very little about AD and just a little more about powershell. I know this should be written in powershell, want to use only powershell and no outside tools like repadmin..

  • #18517

    Daniel Krebs
    Moderator

    Hi Charles,

    You'll need to query the Security event log of each domain controller in your domain for specific event IDs via the Get-EventLog or Get-WinEvent cmdlets because group membership changes can happen on any domain controller.

    4728/4729 > A member was added/removed to/from a security-enabled global group
    4732/4733 > A member was added/removed to/from a security-enabled local group
    4756/4757 > A member was added/removed to/from a security-enabled universal group
    4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
    4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
    4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

    An alternative to querying each domain controllers would be to setup an event collector on a central logging server and forward above events. Windows comes with the event collecting and forwarding functionality since Windows Server 2008.

    Best,
    Daniel

  • #18518

    Tim Pringle
    Participant

    Hey Charles,

    The time that you mention, is this at the time in when the add/remove action occurred, or the time when the scan ran that detected the add/remove action?

    cheers,

    Tim

You must be logged in to reply to this topic.