Query on AD group membership

Glenn Maxwell 10,146 Reputation points
2021-09-17T23:40:42.547+00:00

Hi All

I have an AD Security group lets say group1. I want to export all the members of the group to csv file which i am able to do it. But i want to know the date when these members were added to the AD group. how can i get this information. 

Get-ADGroupMember -Identity "Group1" -Recursive | Get-ADUser -Properties Title,physicalDeliveryOfficeName,office,Department | Select Name,UserprincipalName,physicalDeliveryOfficeName,Office,Title,Department,SamAccountName,DistinguishedName | Export-CSV -Path C:\temp\output.csv -NoTypeInformation
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,456 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,370 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,119 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,362 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments
Accepted answer
  1. Limitless Technology 39,351 Reputation points
    2021-09-20T09:55:26.653+00:00

    Hello,

    Thank for you reaching out.

    If you have already enabled Events logs GPO settings applied.

    Event logs might save you. 4728/4729 A member was added/removed to/from a security-enabled global group 4732/4733 > A member was added/removed to/from a security-enabled local group 4756/4757 > A member was added/removed to/from a security-enabled universal group 4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list) 4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list) 4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

    Get-EventLog -logname security | Where-Object {($.eventid -eq 4732) -or ($.eventid -eq 4733 ) -or ($_.eventid -eq 4746)} | select EventID,MachineName,EntryType,Message,InstanceId,TimeGenerated,Timecreated,UserName | fl | export-csv -path C:\templogs.csv

    Hope this helps.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 44,776 Reputation points
    2021-09-18T01:26:08.477+00:00

    It's too late to get that information. You'll have to enable the appropriate auditing to log the changes in the security log and then, provided the log is not so active that it doesn't overwrite events, you'll have to extract the information form the security log and (most likely) keep it some period of time.

    PowerShell can do the extraction, but the auditing is a one-time setup so it's probably easier to just do it by hand. Here's an article that provides the necessary steps to enable the auditing you need: track-and-audit-active-directory-group-membership-changes.html

    2 people found this answer helpful.
    0 comments
  2. Gary Reynolds 9,391 Reputation points
    2021-09-21T12:41:56.22+00:00

    Hi Glenn,

    It is possible to get the details of when group members were added or removed without the need to have auditing enabled before the changes were made. The details on the group changes are also stored in the AD replication data, however to retreive this info takes a little more work.

    Take a look at this feature in NetTools which can display the group changes for an individual user https://nettools.net/group-changes/. If you just want to see when members were removed, the AD properties dialog will provide this information under the members tab.

    If you want to see the details when a member was added or removed from a group, read the details on how the group changes function works in this post https://nettools.net/how-group-changes-works/. If you open the meta data dialog for the group in question and then use the logic explain in the article you can get the details on when a member was added or removed.

    Gary.

    0 comments