Active Directory - Moving users from one OU to another

Viewing 2 reply threads
  • Author
    Posts
    • #999246
      Deon
      Participant
      Member Points: 205
      Rank: 2

      Hi experts,

       

      I’m wondering if there is a easier way, other than tracing/auditing event ID 5139, to trace/audit the moving of a user account between different OU’s within active directory or establishing the moving of objects in and out of a specific OU?

      For a AD group you can get a history of when users where added or removed from a group: (repadmin /showobjmeta dcname “OU=group name,DC=name,DC=name” >c:\temp\123.csv)

      Is there somehow similar history you can extract for a specific OU (users or computer accounts moved in or out of the OU) or user account (added or removed from a specific OU’s)?

       

      Regards,

      Deon

       

    • #1001583
      Luc Fullenwarth
      Moderator
      Member Points: 16,066
      Rank: 4
      Get-ADDomainController -Filter * | ForEach-Object -Process {
          Get-ADGroup -Identity 'Enterprise Admins'|
          Get-ADReplicationAttributeMetadata -Server $PSItem.Name
      }

       

      avatar
    • #1001589
      Luc Fullenwarth
      Moderator
      Member Points: 16,066
      Rank: 4

      Sorry, I’ve read too fast your original message πŸ™‚

      There is no OU membership like for groups. There is only a change on the user’s Distinguished Name.
      You must track this attribute for a change.

      Unfortunately, there is no Distinguished Name attribute in the metadata. But the NameΒ and CN attributes are updated.
      You can then have a look at the Object attribute of this metadata, which shows you the Distinguished Name for each version of the object.

      Here is my proposition of code

      $Guid = (Get-ADUser -Identity UserSamAccount -Properties ObjectGUID).ObjectGUID
      
      Get-ADDomainController -Filter * | ForEach-Object -Process {
          Get-ADReplicationAttributeMetadata -Server $PSItem.Name -Object $Guid -ShowAllLinkedValues
      }|
      Where-Object AttributeName -Match 'cn|name'|
      Sort-Object -Property Version|
      Select-Object -Property Server,Version,LastOriginatingChangeTime,Object

      However, I have made some tests and it seems that you have to be quick before the new value is replicated to other domain controllers because the Metadata property only keeps the latest version of a given attribute…

      avataravatar
      • #1001871
        Deon
        Participant
        Member Points: 205
        Rank: 2

        Thanks or the feedback @luc, much appreciated. It’s a pity there is not a easy way to track this… one would have imagined it’s not that difficult, but turns out it is.. πŸ™

        I’ll test you script and see the results, but ultimately it would have been great if there was a history associated moving users in and out of OU’s, as in my experience Event ID 5139 is not accurate, we write all security logs to SomoLogic and I’ can’t trace users moving in and out of a specific OU via Event ID 5139. Perhaps there is a better way for me to query or interrogate all security logs from all DC’s in our domain for event ID 5139, suggestions welcome.. πŸ™‚

        We have a compliance issue where users only gain access to a system provided they are in a specific Active Directory OU, as users in this OU are automatically synced to an external application (in this case Atlasian bitbucket), we have queries regarding whom had access and when and basically need to prove that even though users are in bitbucket security groups, it’s not relevant as a user/s where not in the required OU to have system access.

         

        Regards,

        D

         

Viewing 2 reply threads
  • You must be logged in to reply to this topic.
Β© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account