Is it possible to create a report of all the objects that have been dynamically removed from an Active Roles dynamic group over a certain time period?
- Products
- Solutions
- Resources
- Trials
- Support
- Partners
- Communities
Is it possible to create a report of all the objects that have been dynamically removed from an Active Roles dynamic group over a certain time period?
So I've go this script below that shows me all group membership changes to this AD group but is there a way to only show removal of objects?
Get-QARSOperation -TargetObject nameofadgroup -OperationType 'GroupMembershipChange' -Proxy -CompletedAfter ((get-date).AddDays(-4)) -SizeLimit 0 |
Select-Object @{Name="AttributeChanges";Expression={$_.AttributeChanges.Name -join ','}},
@{ name="Group"; expression={ $_.TargetObjectInfo.dn }},
@{ name="Date"; expression={ $_.Initiated }},
@{ name="PC"; expression={ $_.AttributeChanges.Values }} | export-csv C:\Temp\results.csv -NoTypeInformation
Hi rws
The operation performed against the member attribute is listed under AttributeChanges.operation property of the operation, in this instance Add or Remove. For other attributes that operation value will be different, for instance replace.
$TargetStart = (get-date).AddDays(-6) $TargetEnd = (get-date).AddDays(-4) $ServiceAccountDN = "<Your Service Account DN>" $Operation = "Remove" $OutputFile = "C:\Temp\results.csv" Get-QARSOperation -CompletedAfter $TargetStart ` -CompletedBefore $TargetEnd ` -InitiatedBy $ServiceAccountDN ` -OperationType GroupMembershipChange ` -OperationStatus Completed ` -SizeLimit 0 ` -Proxy ` | Where-object {$_.AttributeChanges.operation -eq $Operation} ` | Select-Object @{Name="AttributeChanges";Expression={$_.AttributeChanges.Name -join ','}}, @{ name="Group"; expression={ $_.TargetObjectInfo.dn }}, @{ name="Date"; expression={ $_.Initiated }}, @{ name="PC"; expression={ $_.AttributeChanges.Values }} ` | export-csv $OutputFile -NoTypeInformation
The other changes I made to your script, was to parametrise the inputs, but also filter the operations on both a completed after and complete before value, rather than returning every operation before a certain date, and also filtering only on the Active Roles service account and also removing the check on a particular group. Naturally you can amend as required for your use case.
Hope this helps
Hi rws
The operation performed against the member attribute is listed under AttributeChanges.operation property of the operation, in this instance Add or Remove. For other attributes that operation value will be different, for instance replace.
$TargetStart = (get-date).AddDays(-6) $TargetEnd = (get-date).AddDays(-4) $ServiceAccountDN = "<Your Service Account DN>" $Operation = "Remove" $OutputFile = "C:\Temp\results.csv" Get-QARSOperation -CompletedAfter $TargetStart ` -CompletedBefore $TargetEnd ` -InitiatedBy $ServiceAccountDN ` -OperationType GroupMembershipChange ` -OperationStatus Completed ` -SizeLimit 0 ` -Proxy ` | Where-object {$_.AttributeChanges.operation -eq $Operation} ` | Select-Object @{Name="AttributeChanges";Expression={$_.AttributeChanges.Name -join ','}}, @{ name="Group"; expression={ $_.TargetObjectInfo.dn }}, @{ name="Date"; expression={ $_.Initiated }}, @{ name="PC"; expression={ $_.AttributeChanges.Values }} ` | export-csv $OutputFile -NoTypeInformation
The other changes I made to your script, was to parametrise the inputs, but also filter the operations on both a completed after and complete before value, rather than returning every operation before a certain date, and also filtering only on the Active Roles service account and also removing the check on a particular group. Naturally you can amend as required for your use case.
Hope this helps
yes it does help, thank you so much, this is perfect