{"id":72392,"date":"2015-07-03T00:01:00","date_gmt":"2015-07-03T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/07\/03\/use-powershell-to-find-changes-to-active-directory\/"},"modified":"2019-02-18T09:47:13","modified_gmt":"2019-02-18T16:47:13","slug":"use-powershell-to-find-changes-to-active-directory","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-find-changes-to-active-directory\/","title":{"rendered":"Use PowerShell to Find Changes to Active Directory"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to find changes to Active Directory.<\/span>\n\"Hey, Hey, Scripting Guy! I have this problem. It seems our company has undergone a lot of changes recently, and I need to find what changes have impacted Active Directory. Basically, I do not even know where to start. I would like to get an overview of what things have changed since a specific date. Is this even possible with Windows PowerShell?\n—GF\n\"Hey, Hello GF,\nMicrosoft Scripting Guy, Ed Wilson, is here. Hey, the weekend is nearly here—at least if you live on the eastern coast of the United States. If you are in Australia, then the weekend is already underway. That is one thing I love about Australia, they always start the weekend early. Anyway, it should be a nice sunny weekend around here, and there are outdoor concerts planned. It should be a great time to get out and have some fun.\nSo GF, I will help you out so maybe you can get out of the office and enjoy some nice sunny outdoor weather.\nTwo things are required to find when things changed. The first thing you need to find when things changed is a date. This becomes your point of departure. If you were looking for a ship, it would be your datum. As it is, you don’t really know what you are looking for, so you need to create a DateTime<\/b> object.\nThe easiest way to do this is to use the [datetime]<\/b> type accelerator to convert a string into a DateTime<\/b> object for you. I can supply the date in a format that my local input will accept, so for me that becomes month, day, year.\nHere is the command I use to create a DateTime<\/b> object that I will use as my beginning point of search. (By the way, I am not going to give a time, so the time will begin at midnight.)<\/p>\n

$dte = [datetime]”1\/1\/2015″\nAs you can see here, I have created a DateTime<\/b> object for January 1, 2015 (which was a Thursday):<\/p>\n

PS C:\\> $dte<\/p>\n

Thursday, January 1, 2015 12:00:00 AM\nNow I need to find all objects in Active Directory that have a WhenChanged<\/b> property (attribute) that is greater than January 1, 2015 at midnight. Because GF only says he is interested in knowing the numbers of the different types of objects that changed, I pipe the output to the Group-Object<\/b> cmdlet.\nTo be able to know what types of objects are changed, I will need the ObjectClass<\/b> property. To find objects in Active Directory, I use the Get-ADObject<\/b> cmdlet. My filter uses the WhenChanged<\/b> property and I specify my DateTime<\/b> object that I stored in the $dte<\/b> variable. Here is the command I use:<\/p>\n

Get-ADObject -Filter ‘whenchanged -gt $dte’ | Group-Object objectclass\nAnd here is an example of the type of output that arrives:<\/p>\n

PS C:\\> Get-ADObject -Filter ‘whenchanged -gt $dte’ | Group-Object objectclass<\/p>\n

Count Name                      Group                                                    <\/p>\n

—–     —-                            —–                                                     <\/p>\n

    1 domainDNS                 {DC=NWTraders,DC=com}                                    <\/p>\n

    1 groupPolicyContainer      {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,…<\/p>\n

    1257 user                      {CN=Administrator,CN=Users,DC=NWTraders,DC=com, CN=Kim …<\/p>\n

    1 group                     {CN=Remote Desktop Users,CN=Builtin,DC=NWTraders,DC=com} <\/p>\n

    6 computer                  {CN=DC1,OU=Domain Controllers,DC=NWTraders,DC=com, CN=S…<\/p>\n

    1 rIDManager                {CN=RID Manager$,CN=System,DC=NWTraders,DC=com}          <\/p>\n

    1 rIDSet                    {CN=RID Set,CN=DC1,OU=Domain Controllers,DC=NWTraders,D…<\/p>\n

    2 serviceConnectionPoint    {CN=Windows Virtual Machine,CN=SGW,CN=Computers,DC=NWTr…<\/p>\n

    1 rRASAdministrationConn… {CN=RouterIdentity,CN=SGW,CN=Computers,DC=NWTraders,DC=…<\/p>\n

    2 organizationalUnit        {OU=dataImport,DC=NWTraders,DC=com, OU=Charlotte,DC=NWT…\nWhat does this output tell me? Well, it tells me that something changed in DNS, Group Policy, groups, computers, organizational units, and on and on. What I do not know is what changed.\nWas an organizational unit (or two) created or merely modified? The 1257 users could be new users or changed users. When a user changes the password (which hopefully would have happened a few times since January 1, 2015), the user object changes. The same thing for the six computer objects—they have passwords that automatically change.\nIf you are looking for when things were created, well, guess what? There is also a WhenCreated<\/b> property (attribute). I can modify my code a little bit to see what objects were created after a specific date. This time, I will change my date to show objects that were created since July 1, 2015. The output is shown here:<\/p>\n

PS C:\\> $dte = [datetime]”7\/1\/15″<\/p>\n

PS C:\\> $dte<\/span><\/p>\n

 Wednesday, July 1, 2015 12:00:00 AM<\/span><\/p>\n

PS C:\\> Get-ADObject -Filter ‘whencreated -gt $dte’ | Group-Object objectclass<\/span><\/p>\n

Count Name                      Group                                                    <\/p>\n

—–     —-                            —–                                         <\/span><\/p>\n

    1 organizationalUnit        {OU=Charlotte,DC=NWTraders,DC=com}     \nSo, only one object has been created in Active Directory since July 1, 2015. And because there is only one object, it shows up in the Group<\/b> property from Group-Object<\/b>. It is the Charlotte organizational unit. If there were more than one object, I might not be able to see the group details. So I would remove the Group-Object<\/b> command. Here is the output:<\/p>\n

PS C:\\> Get-ADObject -Filter ‘whencreated -gt $dte’<\/p>\n

DistinguishedName      Name                   ObjectClass            ObjectGUID          <\/span><\/p>\n

—————–                —-                        ———–                ———-          <\/p>\n

OU=Charlotte,DC=NWT… Charlotte              organizationalUnit     f53f519c-c548-401a…\nIf I want to see all of the properties (attributes) from the newly created object, I specify the <\/span>–properties<\/b> parameter and use the asterisk wildcard character ( <\/span>*<\/b> ) to select all of the properties. This command is shown here with the associated output from the command:<\/span><\/p>\n

PS C:\\> Get-ADObject -Filter ‘whencreated -gt $dte’ -Properties *<\/p>\n

CanonicalName                   : NWTraders.com\/Charlotte<\/span><\/p>\n

CN                              :<\/p>\n

Created                         : 7\/2\/2015 9:47:53 AM<\/p>\n

createTimeStamp                 : 7\/2\/2015 9:47:53 AM<\/p>\n

Deleted                         :<\/p>\n

Description                     : Charlotte office users<\/p>\n

DisplayName                     :<\/p>\n

DistinguishedName               : OU=Charlotte,DC=NWTraders,DC=com<\/p>\n

dSCorePropagationData           : {12\/31\/1600 7:00:00 PM}<\/p>\n

instanceType                    : 4<\/p>\n

isDeleted                       :<\/p>\n

LastKnownParent                 :<\/p>\n

Modified                        : 7\/2\/2015 9:47:53 AM<\/p>\n

modifyTimeStamp                 : 7\/2\/2015 9:47:53 AM<\/p>\n

Name                            : Charlotte<\/p>\n

nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity<\/p>\n

ObjectCategory                  : CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=NWT<\/p>\n

                                  raders,DC=com<\/p>\n

ObjectClass                     : organizationalUnit<\/p>\n

ObjectGUID                      : f53f519c-c548-401a-982d-bd9f38b20d97<\/p>\n

ou                              : {Charlotte}<\/p>\n

ProtectedFromAccidentalDeletion : False<\/p>\n

sDRightsEffective               : 15<\/p>\n

uSNChanged                      : 430200<\/p>\n

uSNCreated                      : 430200<\/p>\n

whenChanged                     : 7\/2\/2015 9:47:53 AM<\/p>\n

whenCreated                     : 7\/2\/2015 9:47:53 AM\nWhat does not appear here is who created the object. To find this information, I would need to enable auditing for the creation of Active Directory objects. For me, that is pretty much a one-off scenario, so I would use the GUI tools to do that, and I would not use Windows PowerShell to turn on auditing.<\/span>\nGF, that is all there is to using Windows PowerShell to find changes to Active Directory. This also concludes Active Directory Week. Join me tomorrow when I will have a way cool guest blog post.\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to find changes to Active Directory.  Hey, Scripting Guy! I have this problem. It seems our company has undergone a lot of changes recently, and I need to find what changes have impacted Active Directory. Basically, I do not even know where to start. […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,303,45],"class_list":["post-72392","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to find changes to Active Directory.  Hey, Scripting Guy! I have this problem. It seems our company has undergone a lot of changes recently, and I need to find what changes have impacted Active Directory. Basically, I do not even know where to start. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=72392"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72392\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=72392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=72392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=72392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}