question

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 asked GaryReynolds-8098 answered

Query on AD group membership

Hi All

I have an AD Security group lets say group1. I want to export all the members of the group to csv file which i am able to do it. But i want to know the date when these members were added to the AD group. how can i get this information.

 Get-ADGroupMember -Identity "Group1" -Recursive | Get-ADUser -Properties Title,physicalDeliveryOfficeName,office,Department | Select Name,UserprincipalName,physicalDeliveryOfficeName,Office,Title,Department,SamAccountName,DistinguishedName | Export-CSV -Path C:\temp\output.csv -NoTypeInformation
windows-serverazure-active-directorywindows-server-powershellwindows-server-2019windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

Thank for you reaching out.

If you have already enabled Events logs GPO settings applied.

Event logs might save you. 4728/4729 A member was added/removed to/from a security-enabled global group 4732/4733 > A member was added/removed to/from a security-enabled local group 4756/4757 > A member was added/removed to/from a security-enabled universal group 4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list) 4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list) 4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

Get-EventLog -logname security | Where-Object {($.eventid -eq 4732) -or ($.eventid -eq 4733 ) -or ($_.eventid -eq 4746)} | select EventID,MachineName,EntryType,Message,InstanceId,TimeGenerated,Timecreated,UserName | fl | export-csv -path C:\templogs.csv

Hope this helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
2 Votes"
RichMatheisen-8856 answered RichMatheisen-8856 edited

It's too late to get that information. You'll have to enable the appropriate auditing to log the changes in the security log and then, provided the log is not so active that it doesn't overwrite events, you'll have to extract the information form the security log and (most likely) keep it some period of time.

PowerShell can do the extraction, but the auditing is a one-time setup so it's probably easier to just do it by hand. Here's an article that provides the necessary steps to enable the auditing you need: track-and-audit-active-directory-group-membership-changes.html


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds-8098 avatar image
0 Votes"
GaryReynolds-8098 answered

Hi Glenn,

It is possible to get the details of when group members were added or removed without the need to have auditing enabled before the changes were made. The details on the group changes are also stored in the AD replication data, however to retreive this info takes a little more work.

Take a look at this feature in NetTools which can display the group changes for an individual user https://nettools.net/group-changes/. If you just want to see when members were removed, the AD properties dialog will provide this information under the members tab.

If you want to see the details when a member was added or removed from a group, read the details on how the group changes function works in this post https://nettools.net/how-group-changes-works/. If you open the meta data dialog for the group in question and then use the logic explain in the article you can get the details on when a member was added or removed.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.