Для данной задачи потребуется включить аудит по событию 4728.
Event ID when a User is Added or Removed from Security-Enabled Global Group such as Domain Admins or Group Policy Creator Owners
Для PowerShell - можно использовать модуль PsEventLogWatcher и примерами использования
https://pseventlogwatcher.codeplex.c...ced%20Examples
Код:
$BookmarkStreamPath = "C:\Eventlogwatchers\EventsToCSV.stream"
$BookmarkToStartFrom = Get-BookmarkToStartFrom $BookmarkStreamPath
$EventLogQuery = New-EventLogQuery "ForwardedEvents"
$EventLogWatcher = New-EventLogWatcher $EventLogQuery $BookmarkToStartFrom
$Action = {
$EventObj = New-Object psobject
$EventObj | Add-Member noteproperty TimeCreated $EventRecord.TimeCreated
$EventObj | Add-Member noteproperty ID $EventRecord.ID
$EventObj | Add-Member noteproperty MachineName $EventRecord.MachineName
$EventRecordXML.Event.EventData.Data | Where-Object {$_.name -ne $Null} | ForEach-Object {$EventObj | Add-Member noteproperty $_.name $_."#text"}
switch ($EventObj.ID)
{
4728 {$Outfile = "SecurityGroup_MemberAdded.csv"}
}
If ($Outfile -ne $Null)
{
$EventObj | Convertto-CSV -Outvariable OutData -NoTypeInformation
$OutPath = "C:\EventLogWatchers\CSV\$Outfile"
If (Test-Path $OutPath)
{
$Outdata[1..($Outdata.count - 1)] | ForEach-Object {Out-File -InputObject $_ $OutPath -append}
} else {
Out-File -InputObject $Outdata $OutPath
}
}
}
Register-EventRecordWrittenEvent $EventLogWatcher $BookmarkStreamPath -action $action -SourceIdentifier "EventsToCSV"
$EventLogWatcher.Enabled = $True
