Search for who changed the security group


posted by mpetka
02-07-2013

Downloads: 177
File size: 158 B
Views: 1,159

Embed
Search for who changed the security group
  1. Get-WinEvent -ComputerName dc03 -FilterHashtable @{logname='security'; id=4757} | Where { $_.message -like*Matthew L*-and $_.message -like '*secure-users* 
Filed under:

Today I was asked who had made a change to one of our security groups. Back in the bad old days I would open up event viewer. Set the filter and open events one at a time.....

Today we have Powershell. This one-liner will search the security log of a DC and then search through the message body of the event to get the one you want

Get-WinEvent -ComputerName dc0x -FilterHashtable @{logname='security'; id=4757} | Where { $_.message -like ‘*Matthew L*’ -and $_.message -like '*secure-users* 

Copyright 2012 PowerShell.com. All rights reserved.