PowerShell Script: Get-Object to retrieve a simple Active Directory Audit

Someone (maybe even you) has deleted a user or deleted an OU – now you’re tasked to find out who did that, and you probably need to retrieve the deleted info again.

As far as the script goes: We first get the Date of when we want to check the AD for any objects that where changed. I like doing Get-ADObject -Filter ‘whenChanged -gt $Date’ | Group-Object objectclass. This will tell me what has changed, from Accounts, Groups, Policy, etc.

Now we can use the select statement to narrow the results down.

$Date = [datetime]”3/19/2017"
#Get-ADObject -Filter ‘whenChanged -gt $Date’ | Group-Object objectclass
Get-ADObject -Filter 'whenChanged -gt $Date' -Properties *| 
select Name, sAMAccountName, whenChanged, whenCreated | Format-Table -AutoSize

We can also add the switch -IncludeDeletedObjects = retrieve deleted objects

Get-ADObject -Filter 'whenChanged -gt $Date' -Properties * -IncludeDeletedObjects | 
select Name, sAMAccountName, whenChanged, whenCreated | Format-Table -AutoSize

Without Auditing turned ON, getting who did it will not be possible.

You can turn on Active Directory Auditing, by using GPO, and also inside SACL. Once enabled you need to apply it to the AD.
If Auditing is turned on correctly it should display in the Event Viewer and look for the ID 4726. We can use the following PowerShell script:

Get-Eventlog -Log Security -After $Date -Newest 10| Where {$_.EventID -eq 4726}

Event ID can have a lot of options, but if we don’t know what happen to that user or object we can run:

Get-Eventlog -Log Security -After $Date -Newest 10 -Message "*A user account*"

Here are some useful Event ID’s for AD Audit:


Event ID 4720 - A user account was created.
Event ID 4722 - A user account was enabled.
Event ID 4726 - A user account was deleted.
Event ID 4738 - A user account was changed.

Event ID 5141 – A directory service object was deleted.
Event ID 5136 – A directory service object was modified.
Event ID 5139 – A directory service object was moved.
Event ID 5141 – A directory service object was deleted.