Author Posts

October 8, 2015 at 12:16 pm

Hello Guys, Is there any way I can use powershell to get the history when a AD computer was removed from a specific group ?

October 8, 2015 at 12:19 pm

It's likely this information would only be available in the Security Event Log, and only if you're auditing that event on those group objects. If you are, you could use Get-EventLog to scan the log, although you'd need to do so on every DC where the change could possibly have been made.

October 8, 2015 at 5:17 pm

I'm sure Don's correct. You could only track it down through the 4729 events on your DCs. Get-WinEvent often seems to be a bit quicker for this type of task. Just finished working on something similar when I saw this post so thought I'd chime in. You can use something like this below but would have to run it against each of your DCs, which you could do using a Foreach loop. Depending on your setup, not sure this woul be any easier than manually connecting to each DC and filtering/searching the log.

$startDate = (get-date).addDays(-5)
Get-WinEvent -ea SilentlyContinue -ComputerName DC-name -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID=4729; StartTime=$startDate}