• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 3 replies
  • Subscribers 62 subscribers
  • Views 502 views
  • Users 0 members are here
Options
Related

Dynamic Groups Question

rws
2 months ago

Is it possible to create a report of all the objects that have been dynamically removed from an Active Roles dynamic group over a certain time period?  

Top Replies

  • 2 months ago in reply to rws +1 verified

    Hi  

    The operation performed against the member attribute is listed under AttributeChanges.operation property of the operation, in this instance Add or Remove. For other attributes that operation value…

  • 0 2 months ago

    So I've go this script below that shows me all group membership changes to this  AD group but is there a way to only show removal of objects?  

    Get-QARSOperation -TargetObject nameofadgroup -OperationType 'GroupMembershipChange' -Proxy -CompletedAfter ((get-date).AddDays(-4)) -SizeLimit 0 |
    Select-Object @{Name="AttributeChanges";Expression={$_.AttributeChanges.Name -join ','}},
    @{ name="Group"; expression={ $_.TargetObjectInfo.dn }},
    @{ name="Date"; expression={ $_.Initiated }},
    @{ name="PC"; expression={ $_.AttributeChanges.Values }} | export-csv C:\Temp\results.csv -NoTypeInformation

  • +1 2 months ago in reply to rws

    Hi  

    The operation performed against the member attribute is listed under AttributeChanges.operation property of the operation, in this instance Add or Remove. For other attributes that operation value will be different, for instance replace.

    $TargetStart = (get-date).AddDays(-6)
$TargetEnd = (get-date).AddDays(-4)
$ServiceAccountDN = "<Your Service Account DN>"
$Operation = "Remove"
$OutputFile = "C:\Temp\results.csv"

Get-QARSOperation -CompletedAfter $TargetStart `
                  -CompletedBefore $TargetEnd `
                  -InitiatedBy $ServiceAccountDN `
                  -OperationType GroupMembershipChange `
                  -OperationStatus Completed `
                  -SizeLimit 0 `
                  -Proxy `
                  | Where-object {$_.AttributeChanges.operation -eq $Operation} `
                  | Select-Object @{Name="AttributeChanges";Expression={$_.AttributeChanges.Name -join ','}}, 
                                  @{ name="Group"; expression={ $_.TargetObjectInfo.dn }}, 
                                  @{ name="Date"; expression={ $_.Initiated }},
                                  @{ name="PC"; expression={ $_.AttributeChanges.Values }} `
                  | export-csv $OutputFile -NoTypeInformation

    The other changes I made to your script, was to parametrise the inputs, but also filter the operations on both a completed after and complete before value, rather than returning every operation before a certain date, and also filtering only on the Active Roles service account and also removing the check on a particular group. Naturally you can amend as required for your use case.

    Hope this helps

  • 0 2 months ago in reply to Stu.Pollock

    yes it does help, thank you so much, this is perfect