GuidesTracking Active Directory Operations with PowerShell Commands

Tracking Active Directory Operations with PowerShell Commands

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

There are three operations performed in an Active Directory environment: Create, Modify and Delete. Any Active Directory admin who has sufficient permissions can perform Create, Modify and Delete operations.

The operations can be performed on objects such as users, computers, user and computer properties, contacts, and other objects except critical Active Directory objects. By default, users (including Domain Admins) do not have permissions to perform any operations on critical Active Directory objects.

In an Active Directory environment where there are millions of objects, it sometimes becomes difficult to monitor the changes that have been taken place. Everyday thousands of operations might be taking place.

For example, someone might be creating user accounts, while someone else might be deleting user accounts. Similarly, you might have someone who modifies the user properties.

As a result, it becomes necessary to implement an auditing mechanism that helps you keep track of the Active Directory changes and to help you identify which users made the changes. Windows Server 2008 and earlier operating systems were lacking the capability to report enough details on the changes made in the Active Directory.

However, with Windows Server 2008 R2 and later operating systems, Microsoft now provides more extensive details for Active Directory changes. While you can open the Event Viewer to get the changes that have been taking place throughout Active Directory, it becomes cumbersome when taking a look at each of the events one by one and figuring out the changes that you wish to see.

That’s where today’s Server Tutorial comes handy. Today we’ll talk about the account creation operations you can track by running a simple PowerShell script.

When it comes to searching for Account Creation events in the Event Viewer, you’ll want to look for Event ID 4720. What you can do to make the process as efficient as possible is run a simple PowerShell script that will help you collect the required data in a CSV file. The PowerShell script looks like this:

Import-Module ActiveDirectory
$ReportFile = "C:TempAccountCreationReport.CSV"
$LogToFetch = "Security"
$DomainControllerToConnect = Get-ADDomainController -Discover -Service PrimaryDC
$ACCreationEventID = "4720"
Get-EventLog -LogName $LogToFetch -ComputerName $DomainControllerToConnect -After (get-date).AddDays(-1) | where {$_.eventID -eq $ACCreationEventID} | fl -Property TimeGenerated, ReplacementStrings, Message | Export-CSV $ReportFile -NoTypeInformation

As you can see in the above PowerShell script, it uses the Get-EventLogPowerShell cmdlet to retrieve the required details. The Get-EventLog PowerShell cmdlet looks for event ID 4720 on a domain controller and then reports the changes in a CSV file.

Once you have executed the above PowerShell script, a report will be generated in the C:TempAccountCreationReport.CSV file. The report will contain the data needed to find out the Accounts created in the Active Directory.

If you’d next like to see what all changes have been taking place throughout Active Directory, all you need to do is utilize the Get-ADObject PowerShell command as shown in the PowerShell commands below:

$ThisDate = [Datetime]"02/02/2017"
Get-ADObject -Filter "WhenChanged" -GT $ThisDate | Export-CSV C:TempAllADChanges.CSV -NoTypeInformation

The first command is a variable that stores the date. The second command looks for all the changes that have been made in Active Directory greater than the date specified in the $ThisDate variable.

The output is reported in the C:TempAllADChanges.CSV file. Note that the “WhenChanges” property of any object is a “Modify” operation, and by running the above PowerShell commands you will only see the objects that were modified recently.

If you wish to see a list of objects that were created recently in the Active Directory, you could use the “WhenCreated” property in place of “WhenChanged” as shown in the commands below:

$ThisDate = [Datetime]"02/02/2017"
Get-ADObject -Filter "WhenCreated" -GT $ThisDate | Export-CSV C:TempAllADCreations.CSV -NoTypeInformation

If you also need to track the log-on and logoff times for all users in an Active Directory environment, what you can do is look for event IDs 4647 and 4648. Event ID 4647 pertains to log-on and event ID 4648 is for logoff events. You need to ensure that above mentioned event IDs are queried on local computers.

While you can use the PowerShell methods above to find the changes in Active Directory, there are various tools available on the market that will help you automate the complete process, including receiving reports via email. One of the products we have come across recently for this is Netwrix Auditor for Active Directory.

Netwrix Auditor for Active Directory delivers security analytics about what’s going on in Active Directory and Group Policy. You can use this data to mitigate the risk of privilege abuse, prove IT compliance and streamline troubleshooting.

Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at

Follow ServerWatch on Twitter and on Facebook

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories