On Windows PowerShell and other admin-related topics

Active Directory group membership modifications report

Based on customer needs I`ve created a Windows PowerShell script to report Active Directory group membership modifications. The script are uploaded to PoshCode and available from here.

In Windows 2000 Server and Windows Server 2003, the following security event IDs were valid for group membership changes:

Scope Member added Member removed
Local 636 637
Global 632 633
Universal 660 661

In Windows Server 2008 and Windows Server 2008 R2 the security event IDs changed:

Scope Member added Member removed
Local 4732 4733
Global 4728 4729
Universal 4756 4757

Source for 2000/2003 event IDs.
Source for 2008/2008 R2 event IDs.

Group membership auditing are enabled by default from Windows 2000 Server to Windows Server 2008 R2, so there are no need change any auditing settings to accomplish this.
I`ve added event ID`s for both 2000/2003 and 2008/2008 R2 to the script to cover all event ID`s currently available.
Group membership changes are logged to the Security eventlog on the domain controller the modification was run against. Because of this the script are set up to get all domain controllers in the current domain and loop through the security eventlog on each of them, searching for the relevant event ID`s described in the table above.

The script are based on Alan Renouf`s Daily Report script for PowerCLI.

The “isWithin”-function are taken from Jeffrey Snover`s blog-post regarding DateTime Utility Functions.

Preview of the HTML-report the script will generate:


A tip would be to run the script as a scheduled task e.g. once a day, and store the file in a central location.

For those of you interested in Active Directory auditing I would recommend you to have a look at the AD DS Auditing Step-by-Step Guide on Microsoft TechNet.
Personally I think the new “directory service changes” category are very useful, which allows us to see both the old and new values on modified Active Directory user objects.


October 11, 2009 - Posted by | Active Directory management, Auditing, Scripting, Windows PowerShell |


  1. There is no at the moment on Poshcode site. The latest is (Get-Hostname).

    Comment by Aleksandar | October 12, 2009 | Reply

  2. […] Active Directory group membership modifications report « Jan Egil … […]

    Pingback by OldCmp Active Directory Reporting Tool | December 14, 2009 | Reply

  3. I’m always searching for brandnew infos in the world wide web about this theme. Thanks!

    Comment by Eldenolla | January 2, 2010 | Reply

  4. Jan,
    A useful reporting script, just the sort of thing I was looking for and saved me a lot of work re-inventing the wheel! 🙂

    I was looking at it and it can be made more efficient if you assign the ‘get-eventlog’ to a variable and query that each time rather than using ‘get-eventlog’ three times.

    From line 161 …
    foreach ($domaincontroller in $domaincontrollers){
    $x = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -After ((Get-Date).AddDays(-1))

    This will find all event logs in the last day using the ‘-After’ option of hte Get-EvenLog cmdlet.

    You can then use this variable to find the events you are after, not needing the isWithin function as we have the timeframe already defined …

    $MyReport += Get-HTMLTable ($x | Where-Object {$_.EventID -eq “636” -or $_.EventID -eq “4732”} | select TimeGenerated,Message )

    By doing this, we only run ‘Get-Evenlog’ once against each DC instead of 6 times and so the job is much quicker.

    I hope you find this helpful 🙂

    Comment by HappyBlue | March 30, 2010 | Reply

  5. Thanks for the suggested enhancement, I`ve uploaded a new version of the script here:

    Comment by Jan Egil Ring | April 29, 2010 | Reply

  6. […] Active Directory group membership modifications report « Jan Egil … VN:F [1.7.9_1023]please wait…Rating: 0.0/5 (0 votes cast) […]

    Pingback by OldCmp Active Directory Reporting Tool | May 5, 2010 | Reply

  7. Do we have any updated version here ??

    Comment by sayoviovi | January 24, 2012 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: