Track AD Group membership changes

  • Last Post 03 May 2016
sampathmanova posted this 30 April 2016

Hi all,
I am looking script (VB / Powershell) which has to write csv file whenever there is group membership addition and or removal in AD. I have been trying to get this in place to track group membership so any help please ?
Best Regards,Sam

Order By: Standard | Newest | Votes
Zoran posted this 30 April 2016

If you use SCOM, you can create a monitor to look for the group management sec events on DCs and create a task to fire up a script or a report on an alert.



g4ugm posted this 30 April 2016

Given the minimal detail provided, I suspect my reply might fall on deaf
ears. However, looking at AD the first issuette is that Group Membership may
be maintained in two ways. So if a group was created on a windows/2000
functional level domain then the group membership is replicated as a single
blob. So we can detect that membership has changed, but we have no previous
value. If the domain is at server 2003 functional level and the group was
created (or emptied) after that switch, then membership is changed by
replicating the back linked values, i.e. the "member of" attributes of the
objects that are members of the groups. How AD replication knows this I have
no idea, so how to create a script to do this, again no idea. Googling
Active Directory Linked Value Replication pops up links to more info. E.G.

A second challenge is that group membership many be nested. So membership of
critical groups may me changed indirectly, by adding someone to a group
that's a member of another group. I will ignore this for now.

Given the above two items, if it's a small site it might be simplest to
write a script that enumerates group membership, keep two copies of the
output and use a difference tool such as DIFF to report the changes.

I guess the other alternative is to:-

1. Set up a group policy on the DC's so that group membership changes are
recorded to the Event Logs. IF you are a small site and you make the
security event logs large then they may roll over slowly enough to run a
scheduled powershell script say every hour that reports the changes as they
happen. There is a sample script for that here:-

2. If you are a medium site, or if something nasty happens, then the volume
events many be such that your security event logs may roll over so quickly
that its hard to capture these vents reliably. In this case you can set up a
scheduled task that's triggered by the relevant events, runs a PowerShell
script to extract the events and report on them. I believe this is what SCOM
and other SIEM's do under the covers.

There is more info on AD monitoring here:-

Hope this is helpful,



sampathmanova posted this 01 May 2016

Thank you for sharing!
Actually, i do not have SCOM in my environment so i need to automate via powershell script and i see some script in the so i will try. meanwhile, i am happy to welcome any more comment or option on this subject.


g4ugm posted this 01 May 2016

Sam, How big is your environment? How many DC’s ?  How long does it take for a secuirty event log to roll over?Dave 


rwf4 posted this 03 May 2016

In the absence of a 3rd party product along the lines of Change Auditor / Netwrix / StealthAudit,  a SEIM or SCOM I’d consider native audit and event

forwarding. Forward  the events and process them as you will on the collector.


Couple of random links to give you some food for thought. The latter leads to a lot more links with info on the concept






Rajeev Chauhan posted this 03 May 2016

u can use repadmin /showobjmeta or powershell version Get-ADReplicationAttributeMetadata for group changes


gkirkpatrick posted this 03 May 2016

How real-time does the change tracking need to be? If you just need a daily or weekly report of changes, the simplest thing to schedule

a PoSh script to run periodically, capture (recursively) the current membership information and compare it to the previous version. This has the advantage of being easy and doesn’t require any configuration on the DCs. The downside is that you can miss changes,

e.g. someone can add a name to a group and then remove it, and it won’t show up in your report.


If you need something that actually captures every change, there are a couple of approaches:


Third-party products like ChangeAuditor from Dell that install software on each DC. These work really well for all sorts

of auditing and monitoring requirements, but cost money and require some care and feeding.


Scraping the event logs for every DC and looking for group membership changes. Depending on the activity on your DCs, this

can be workable, and there are lots of free and pay-for tools to simplify the task. The downside is the performance impact of turning up the event log messages, and the maintenance of what can be a large database of event information.


Create a process that syncs with a DC using the DIRSYNC LDAP control and looks for changes that you care about and reports

on them in some way. There may be third-party products that work this way. If not, it is a bit of a programming exercise.


Subscribe to the relevant ETL events from each DC. When I tried this in WS2008 it turned out to not be very reliable (multi-processor

DCs would hang on shutdown), but I expect that that has been fixed in later versions.






sampathmanova posted this 03 May 2016

Hi Dave
we have 50000 users, 60+ dc's. some dc has 2hours log and many of the server has 4 hours logs.


g4ugm posted this 03 May 2016

In that case you need to capture the events as they happen. As they can happen on any DC then event forwarding as others have noted, I think I would be looking at a proper Log Gathering Tool or SIEM for an environment this size.. Dave