Splunk Search

List of AD groups a user was removed from

toontech
New Member

How do I get a list of AD groups a specific user was removed from in the last week please. 

We had a Helpdesk person accidentally remove AD groups for a user far earlier than they should have and whilst we can re-instate some memberships via user location, department knowledge etc there will be a lot more than that.

Any ideas please?

Labels (1)
0 Karma

gazzadownunder
New Member

Have a look at this article, which shows how to display group membership changes for a user based on AD replication data.

https://nettools.net/group-changes/

And this one which shows the members that have been removed from an individual group

https://nettools.net/howto-display-what-members-were-remove-from-a-group/

0 Karma

toontech
New Member

thank you for this, it appears we are not logging events for this code in Splunk. We had to make a manual effort to restore this users AD groups and I guess i'll have to ask for such events to be logged in future.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search for EventCode=4729 and the user in question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...