I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.
Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate individually, each link value has metadata you can use to determine when the user was added to the group. To look at the replication metadata for an object, you’ll need to provide the object’s distinguished name. In this case, I’m going to look at the group “Test Group” in my domain:
repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=brianlab,DC=local"
The output of this command will vary, but, in my environment it looks like this:
13 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 objectClass
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 cn
686100 TestSite\TEST-DC01 686100 2010-10-27 14:06:19 2 description
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 instanceType
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 whenCreated
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 nTSecurityDescriptor
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 name
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 objectSid
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 sAMAccountName
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 sAMAccountType
685899 TestSite\TEST-DC01 685899 2010-10-25 12:56:19 1 sIDHistory
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 groupType
685896 TestSite\TEST-DC01 685896 2010-10-25 12:56:19 1 objectCategory
3 entries.
Type Attribute Last Mod Time Originating DSA Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
ABSENT member 2010-11-05 16:55:28 TestSite\TEST-DC01 749327 749327 2 CN=Brian Desmond,OU=Users,DC=brianlab,DC=local
PRESENT member 2010-11-05 16:55:02 TestSite\TEST-DC01 749320 749320 1 CN=Test User 01,OU=Users,DC=brianlab,DC=local
PRESENT member 2010-11-02 12:48:34 TestSite\TEST-DC01 730720 730720 1 CN=Doe\, John,OU=Users,DC=brianlab,DC=local
There are a couple key takeaways here. The first is that you can see the version numbers of each of the attributes. In this case, none of the attributes have been modified since the group was created, except for the description attribute. Description was updated once a couple days later. At the bottom of the output is the listing for each linked attribute. In this case I only have the member attribute populated, but, if for example the manager linked attribute was populated, it would be listed here as well. On 11/5, my user was removed from the group, and shortly before that, Test User 01 was added. On 11/2 John Doe was added. You can see that Test User 01 was added before I was removed since the USN for Test User 01’s link is a bit lower.