Find out what group membership a user had in the past

active-directory

I am trying to find out what groups membership a user has had in the past in Active Directory, and who removed/added that user from those groups?

Any help would be awesome!

Best Answer

If you already have user auditing turned on in your domain then you should be able to search the event logs to see when members were removed from specific groups.

The following link should point you in the right direction it lists the common event id's for what you are looking for:

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html

Related Solutions

Windows – Command line to list users in a Windows Active Directory group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Ldap – How to figure out the LDAP connection string

The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.

The connection string begins with the URI LDAP://.

For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us LDAP://dc1.corp.domain.com/ thusfar.

The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be: CN=Users,DC=corp,DC=domain,DC=com. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".

So, using an account in an OU named Service Accounts that's a sub-OU of an OU named Corp Objects that's a sub-OU of a domain named corp.domain.com would have a fully-qualified path of OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com.

Combine the LDAP://dc1.corp.domain.com/ with the fully qualified path to the container where the binding user is located (like, say, LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com) and you've got your "connection string".

(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)

Best Answer

Related Solutions

Windows – Command line to list users in a Windows Active Directory group

Ldap – How to figure out the LDAP connection string

Related Topic