/ Powershell

How to check when member was added to or removed from an AD-group

Every now and then I get the question when a user was added to or removed from an AD-group. The solution is to check the attribute metadata replication between domain controllers.

My favorite way is of course the pure Powershell-way:

$GroupToCheck = "groupName"
Get-ADReplicationAttributeMetadata (get-ADgroup $GroupToCheck).distinguishedName -Server <dcName> -Properties member

AttributeName                                    : member
AttributeValue                                   : CN=xxx,OU=Employees,OU=Accounts,DC=xx,DC=xx,DC=xx
FirstOriginatingCreateTime                       : 2016-12-19 16:10:37
IsLinkValue                                      : True
LastOriginatingChangeDirectoryServerIdentity     : CN=NTDS Settings,CN=xxx,CN=Servers,CN=xxx,CN=Sites,CN=Configuration,DC=xx,DC=xx,DC=xx
LastOriginatingChangeDirectoryServerInvocationId : 3561c9e4-46c1-4904-9d57-a6a901d27108
LastOriginatingChangeTime                        : 2016-12-19 16:10:37
LastOriginatingChangeUsn                         : 88980167
LastOriginatingDeleteTime                        : 1601-01-01 01:00:00
LocalChangeUsn                                   : 67616500
Object                                           : CN=xxx,OU=AD,OU=Groups,DC=xx,DC=xx,DC=xx
Server                                           : xxx.xx.xx.xx
Version                                          : 1

The problem is that you only get the latest replication (ie the last update or add member).

By using repadmin /showobjmeta you get all the adds and removes but you do not get the attribute value that was beeing replicated (ie you dont get the user)

$GroupToCheck = "groupName"
repadmin /showobjmeta <dcName> (Get-ADGroup $GroupToCheck).distinguishedName | Select-String member

ABSENT        member 2016-11-04 11:11:59                             xx\xxx 51155098 60398550   2
ABSENT        member 2016-11-25 13:46:09                             xx\xxx 59402629 57733659   2
ABSENT        member 2016-11-25 13:46:09                             xx\xxx 59402626 57733661   2
ABSENT        member 2016-11-25 13:46:09                             xx\xxx 59402625 57733657   2
ABSENT        member 2016-11-25 13:46:09                             xx\xxx 59402627 57733658   2
ABSENT        member 2016-11-25 13:46:09                             xx\xxx 59402628 57733660   2
PRESENT       member 2016-12-19 16:10:37                             xx\xxx 67616499 88980168   1
PRESENT       member 2016-12-19 16:10:37                             xx\xxx 67616500 88980167   1
Andreas Selevik

Andreas Selevik

Solution Architect specialized in Windows & Azure Architecture, Office 365, PowerShell, Identity management and automation. Manchester United fanatic, father, husband and a very good winner...

Read More