Thanks or the feedback @luc, much appreciated. It’s a pity there is not a easy way to track this… one would have imagined it’s not that difficult, but turns out it is.. 🙁
I’ll test you script and see the results, but ultimately it would have been great if there was a history associated moving users in and out of OU’s, as in my experience Event ID 5139 is not accurate, we write all security logs to SomoLogic and I’ can’t trace users moving in and out of a specific OU via Event ID 5139. Perhaps there is a better way for me to query or interrogate all security logs from all DC’s in our domain for event ID 5139, suggestions welcome.. 🙂
We have a compliance issue where users only gain access to a system provided they are in a specific Active Directory OU, as users in this OU are automatically synced to an external application (in this case Atlasian bitbucket), we have queries regarding whom had access and when and basically need to prove that even though users are in bitbucket security groups, it’s not relevant as a user/s where not in the required OU to have system access.