When a computer was removed from a group

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Tim E Lane Tim E Lane 1 year ago.

  • Author
  • #30569
    Profile photo of Partho Sankar Roy
    Partho Sankar Roy

    Hello Guys, Is there any way I can use powershell to get the history when a AD computer was removed from a specific group ?

  • #30570
    Profile photo of Don Jones
    Don Jones

    It's likely this information would only be available in the Security Event Log, and only if you're auditing that event on those group objects. If you are, you could use Get-EventLog to scan the log, although you'd need to do so on every DC where the change could possibly have been made.

  • #30580
    Profile photo of Tim E Lane
    Tim E Lane

    I'm sure Don's correct. You could only track it down through the 4729 events on your DCs. Get-WinEvent often seems to be a bit quicker for this type of task. Just finished working on something similar when I saw this post so thought I'd chime in. You can use something like this below but would have to run it against each of your DCs, which you could do using a Foreach loop. Depending on your setup, not sure this woul be any easier than manually connecting to each DC and filtering/searching the log.

    $startDate = (get-date).addDays(-5)
    Get-WinEvent -ea SilentlyContinue -ComputerName DC-name -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID=4729; StartTime=$startDate}

You must be logged in to reply to this topic.