Get AD Group membership changes from AD metadata

Ever had a need to generate report of historical Active Directory group membership changes but SIEM log retention is too short? There is not-as-well-known but very handy way by using AD metadata. It will not include an 'actor' information (like who did it), but will include exact dates going back as far as when group was created (even if it was 10 years ago). It will also include event for users accounts already deleted from AD.

Below is the function, hope you find it useful. Note: replace domain names under ValidateSet with your domain/s. Cheers.

function Get-GroupMembershipChanges
{
  Param
      (
          [Parameter(Mandatory=$true,
          ValueFromPipelineByPropertyName=$true,
          Position=0)]
          [string]$GroupName,
          [Parameter(Mandatory=$true,
          ValueFromPipelineByPropertyName=$true,
          Position=1)]
          [ValidateSet("domain1", "domain2", "domain3")]
          $Domain
      )

$group = Get-ADGroup $GroupName -Server $domain -ErrorAction SilentlyContinue

if ($group)
  {
    $changes = repadmin /showobjmeta $Domain $($group.DistinguishedName) | Select-String "member" -Context 1,2
$changeReport =@()
foreach ($change in $changes)
         {
          $changeinfo = $change.Line.split(' ') | ? {$_}
          $changeReport += "" | select @{N="Time"; E={$changeinfo[2] + " " + $changeinfo[3]}}, `                                      
 @{N="Action"; E={if ($changeinfo[0] -eq "PRESENT") {"Added"} elseif ($changeinfo[0] -eq "ABSENT") {"Removed"}}},`                                       @{N="Member"; E={($change.Context.DisplayPostContext | Out-String).Trim()}}, `
@{N="DC"; E={$changeinfo[4]}}
        }
    $changeReport
    } # end if group

else {Write-Host "Group $groupname was not found in domain $domain" -ForegroundColor Red}
} # end function Get-GroupMembershipChanges

References:

Repadmin -showobjmeta | Microsoft Learn