none
PowerShell: Script to detect recent changes to an ADUser

    Question

  • Office365 - OneDrive for Business is sending out some alerts to managers of colleagues advising that their content is going to be deleted as they're leaving.  Nothing is visible in the tenancy setting and on our synched AD farm these accounts aren't marked as disabled nor are they deleted.

    I'd like to see if anything has changed on the accounts in question recently and wondering if I can pull up a list of account changes via PowerShell.  If so, how would I get this done?  I've had a look in the AD PowerShell help files but haven't seen any useful commands.  Get-ADUser has nothing that appears useful either

    Thanks


    Steven Andrews
    SharePoint Business Analyst: LiveNation Entertainment
    Blog: baron72.wordpress.com
    Twitter: Follow @backpackerd00d
    My Wiki Articles: CodePlex Corner Series
    Please remember to mark your question as "answered" if this solves (or helps) your problem.

    • Moved by Wendy Jiang Tuesday, March 14, 2017 5:14 AM powershell request
    • Moved by jrv Wednesday, March 15, 2017 3:38 PM Detailed issues about hybrid installation
    Monday, March 13, 2017 1:46 PM

All replies

  • Hi,

    >>I'd like to see if anything has changed on the accounts in question recently and wondering if I can pull up a list of account changes via PowerShell.

    Try compare-object ps cmdlet:

    https://technet.microsoft.com/en-us/library/ee156812.aspx

    For example: 

    $users = Get-ADUser #on prior date
    $users2 = Get-ADUser #on current date
    Compare-Object -ReferenceObject $users -DifferenceObject $users2

    Besides, if you could try to write your own script here that's will be helpful for further assistance.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 14, 2017 8:52 AM
  •  

    I think only way to get a recent changes(what was changed) to an account is via Audit Events on your DCs(Event ID #4738 for OS 2008 R2 and Above). If Audit events of your Domain Controllers are enabled and being collected in your environment then probably you can get this data.

    However atleast you can get a list of user accounts which have been changed recently usiing Get-ADObject Whenchanged Attribute

    Ref # https://blogs.technet.microsoft.com/heyscriptingguy/2015/07/03/use-powershell-to-find-changes-to-active-directory/


    Thanks, Samer Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!


    • Edited by Samer87 Tuesday, March 14, 2017 9:31 AM
    • Proposed as answer by Samer87 Tuesday, March 14, 2017 1:10 PM
    • Unproposed as answer by Steven Andrews Wednesday, March 15, 2017 11:54 AM
    Tuesday, March 14, 2017 9:22 AM
  • This is not a PowerShell issue.  It is a sync issue or a license issue on O365.  You will want to post in the O365 forums for assistance.  AD cannot tell you about a cloud attached account.

    You can connect to O365 and get the usermonO365 to see the license status.


    \_(ツ)_/

    Tuesday, March 14, 2017 1:43 PM
  • Please let me propose answers to this question. This article is interesting but doesn't partially answer my query. I'll mark the post accordingly.

    Steven Andrews
    SharePoint Business Analyst: LiveNation Entertainment
    Blog: baron72.wordpress.com
    Twitter: Follow @backpackerd00d
    My Wiki Articles: CodePlex Corner Series
    Please remember to mark your question as "answered" if this solves (or helps) your problem.

    Wednesday, March 15, 2017 11:54 AM
  • This is not a PowerShell issue.  It is a sync issue or a license issue on O365.  You will want to post in the O365 forums for assistance.  AD cannot tell you about a cloud attached account.

    You can connect to O365 and get the usermonO365 to see the license status.


    \_(ツ)_/

    Appreciate the input but the question is in the correct forum as it's a PowerShell question.  I spend a lot of time in the Office365 forums myself.  I'm aware of what the synch problem typically is.  Having spent time looking at several affected cloud accounts they're working and fine as expected. 

    I've worked backwards to the AD accounts and want to see if changes are being made to them before they're synched up as part of my troubleshooting.  Powershell seems the most appropriate way to do this hence my being here.

    Thanks
    Steven


    Steven Andrews
    SharePoint Business Analyst: LiveNation Entertainment
    Blog: baron72.wordpress.com
    Twitter: Follow @backpackerd00d
    My Wiki Articles: CodePlex Corner Series
    Please remember to mark your question as "answered" if this solves (or helps) your problem.

    Wednesday, March 15, 2017 11:59 AM
  • Unfortunately you are asking a product specific question and not a question about how to use a script.  If you are hybrid then you should start in teh Directory Services forum as they will be more likely to know if their i anything in the AD local schema to tell you what you need.

    I recommend using AD auditing to capture changes to user objects and also sync records to the event log.  If you have issues with how to query yhe event log then post back here with your issues.


    \_(ツ)_/

    Wednesday, March 15, 2017 3:32 PM