When a computer was removed from a group

This topic contains 2 replies, has 3 voices, and was last updated by  Tim E Lane 1 year, 11 months ago.

  • Author
    Posts
  • #30569

    Partho Sankar Roy
    Participant

    Hello Guys, Is there any way I can use powershell to get the history when a AD computer was removed from a specific group ?

  • #30570

    Don Jones
    Keymaster

    It's likely this information would only be available in the Security Event Log, and only if you're auditing that event on those group objects. If you are, you could use Get-EventLog to scan the log, although you'd need to do so on every DC where the change could possibly have been made.

  • #30580

    Tim E Lane
    Participant

    I'm sure Don's correct. You could only track it down through the 4729 events on your DCs. Get-WinEvent often seems to be a bit quicker for this type of task. Just finished working on something similar when I saw this post so thought I'd chime in. You can use something like this below but would have to run it against each of your DCs, which you could do using a Foreach loop. Depending on your setup, not sure this woul be any easier than manually connecting to each DC and filtering/searching the log.

    $startDate = (get-date).addDays(-5)
    Get-WinEvent -ea SilentlyContinue -ComputerName DC-name -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID=4729; StartTime=$startDate}
    

You must be logged in to reply to this topic.