When a computer was removed from a group

Welcome Forums General PowerShell Q&A When a computer was removed from a group

This topic contains 2 replies, has 3 voices, and was last updated by

 
Participant
3 years, 2 months ago.

  • Author
    Posts
  • #30569

    Participant
    Points: 0
    Rank: Member

    Hello Guys, Is there any way I can use powershell to get the history when a AD computer was removed from a specific group ?

  • #30570

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    It's likely this information would only be available in the Security Event Log, and only if you're auditing that event on those group objects. If you are, you could use Get-EventLog to scan the log, although you'd need to do so on every DC where the change could possibly have been made.

  • #30580

    Participant
    Points: 0
    Rank: Member

    I'm sure Don's correct. You could only track it down through the 4729 events on your DCs. Get-WinEvent often seems to be a bit quicker for this type of task. Just finished working on something similar when I saw this post so thought I'd chime in. You can use something like this below but would have to run it against each of your DCs, which you could do using a Foreach loop. Depending on your setup, not sure this woul be any easier than manually connecting to each DC and filtering/searching the log.

    $startDate = (get-date).addDays(-5)
    Get-WinEvent -ea SilentlyContinue -ComputerName DC-name -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID=4729; StartTime=$startDate}
    

The topic ‘When a computer was removed from a group’ is closed to new replies.