What Server 2012 Event IDs are Associated to Certain PowerShell Attribute Changes? RRS feed

  • Question

  • I am writing a function to find metadata on user accounts in AD using PowerShell and I would like to add a column to my Out-GridView that shows the Event ID that you would see on Server 2012 when a change is made to that account. I'm running into an issue though where I am not sure about which Event IDs correspond to a specific PowerShell attribute.

    Example: Event ID 4720 - A user account was created. Is this similar to the whenCreated attribute in PowerShell?

    Or: Event ID 4781 - The name of an account was changed. Does this relate to when the 'name' or 'DisplayName' attribute is changed?

    I've tried looking in the TechNet Library (e.g.- https://technet.microsoft.com/en-us/library/dn319091(v=ws.11).aspx) but have been unsuccessful so far in finding what I am looking for. Does anyone know of a place where I can find this information or know of a way to find out? My code is below and you can run it on your own system to view the output, but basically what I've come up with is a large If-ElseIf-ElseIf... statement that will be placed/start on line 59 (copy-paste into PS):

    If (AttributeName) {"EventID#"} ElseIf (AttributeName2) ... Else{blank}

    Here is the full advanced function as I have it so far:

       Used to view basic metadata for a specified user.
       Will display an Out-GridView window of metadata for all attributes of a specified user.
       Use a manually entered sAMAccountName value or provide one through the pipeline.
       Get-UserMetadata mjw2
       Use a manually entered DistinguishedName value or provide one through the pipeline.
       Get-UserMetadata CN=Samuels\, Christopher,OU=0260_Computer_Network_Services,OU=030_Energy_Delivery,DC=otpco,DC=com
       This can be input manually or can be passed from the pipeline:
       Required: -Identity (DistinguishedName, objectGUID, objectSID, sAMAccountName)
       This must be input manually:
       Optional: -Server   ('Name of target server')
       An Out-GridView of basic metadata for a specific user.
    Function Get-ADUserMetadata {
        param (
            #Provide valid 'Get-ADUser' -Identity value
            HelpMessage='ADUser objectGUID, objectSID, DistinguishedName, or sAMAccountName')]
            #Target server for query defaults to 'localhost' if not specified 
            #Use if you also want to see the groups user is a member of and when they were added
        Begin {
            [string]$IdentityParse = Get-ADuser $Identity -Properties distinguishedName | Select-Object distinguishedName
            $IdentityParse = $IdentityParse.Replace("@{DistinguishedName=","")
            $IdentityParse = $IdentityParse.Replace("}","")
        Process {
            if ($pscmdlet.ShouldProcess("$server", "Get-ADReplicationAttributeMetadata $Identity")) {
                Get-ADReplicationAttributeMetadata -Object $IdentityParse -Server localhost -ShowAllLinkedValues |
                Select-Object LocalChangeUsn, LastOriginatingChangeDirectoryServerIdentity, LastOriginatingChangeUsn, LastOriginatingChangeTime, Version, AttributeName, AttributeValue | 
                Sort AttributeName | 
                If ($MemberOf) {
                    Get-ADUser $IdentityParse -Properties memberOf |
                    Select-Object -ExpandProperty memberOf |
                    ForEach-Object {
                        Get-ADReplicationAttributeMetadata $_ -Server localhost -ShowAllLinkedValues | 
                        Where-Object {$_.AttributeName -eq 'member' -and 
                            $_.AttributeValue -eq $IdentityParse
                        } |
                        Select-Object FirstOriginatingCreateTime, Object, AttributeValue
                    } | 
                    Sort-Object FirstOriginatingCreateTime -Descending | Out-GridView
        End {

    Let me know if there is any other information you need. I can also provide the list of specific Event IDs that I will only be looking for (~55). I have them typed in a Word Doc if you would like to look at them.

    Friday, August 12, 2016 6:11 PM


All replies

  • Friday, August 12, 2016 6:58 PM
  • Thanks for the links but that is not exactly what I am looking for. I already posted something similar to your first link in my original post in the fourth paragraph where I talk about the TechNet articles I had been looking at. As for the ADDS, we already have basic auditing enabled on our servers. This script/function is meant to be more of a one stop shop for our domain admins to find out change-log information for any specified account. This will allow them to be able to get this information without even having to have access to or login to the DC. What I'm looking for is to be able to verify which Event ID is tied to a specific attribute change in AD.

    Like Event ID 4738 - A user account was changed. Does that mean any possible attribute on the account was modified or is it only talking about one specific one but it just fails to mention which one it was?

    Or Event ID 4767 - A user account was unlocked. Does this mean that the LockedOut attribute in AD was changed to False or is there something else that triggered the Event?

    This is the kind of documentation that I am looking for. I already have the tables listed from your first link, I'm looking for the connection point between those Events and the AD fields they are triggered by.

    Friday, August 12, 2016 9:04 PM
  • Full auditing is only available with ADDS auditing.

    The default auditing only contains basic information. Look at the XML for the events to see what information is provided and in what data elements contain the information.


    Friday, August 12, 2016 10:21 PM
  • Here is an example of what is available in one of your events:


    As you an see it is only the name of the account and the change and who changed it.  I don't know what else you could be looking for.


    • Proposed as answer by Hello_2018 Monday, August 29, 2016 7:58 AM
    • Marked as answer by Hello_2018 Tuesday, September 6, 2016 3:59 AM
    Friday, August 12, 2016 10:28 PM