List of AD groups a user was removed from

toontech · ‎12-27-2020

How do I get a list of AD groups a specific user was removed from in the last week please.

We had a Helpdesk person accidentally remove AD groups for a user far earlier than they should have and whilst we can re-instate some memberships via user location, department knowledge etc there will be a lot more than that.

Any ideas please?

gazzadownunder · ‎08-17-2021

Have a look at this article, which shows how to display group membership changes for a user based on AD replication data.

https://nettools.net/group-changes/

And this one which shows the members that have been removed from an individual group

https://nettools.net/howto-display-what-members-were-remove-from-a-group/

toontech · ‎12-29-2020

thank you for this, it appears we are not logging events for this code in Splunk. We had to make a manual effort to restore this users AD groups and I guess i'll have to ask for such events to be logged in future.

richgalloway · ‎12-27-2020

Search for EventCode=4729 and the user in question.

---
If this reply helps you, Karma would be appreciated.

List of AD groups a user was removed from

other

subsearch

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio