This script will show you all the changes that admin made to the user/system account, such as the time when the password was reset and who reset the password; who added user to specified group; which attributes of user account was changed. Before running this script, you'll have to enable auditing of account management to 'Success' in local security policy, for the enough of the time so that required events are collected. Don't worry I have included the user's option to enable from within this script. All you need is to run the powershell in elevated command prompt.
Each column has different meaning:
- DateTime - The date and time when event is created
- Account Operation - Changes made to an account
- ID - The ID of the event.
- Target Account - The user/group/system account that has been changed
- ExistingAcc - 'Yes' if the TargetAccount still exists on system. 'No' if the account no longer exists on system.
- InitiatedBy - The user who did the changes to the another account (TargetAccount)
- TargetGroup - The security group with which the user has been made changes, such as the group that the user has been added to or the group that the user has been removed from.
- ExistingGrp - 'Yes' if the TargetGroup still exsits on system. 'No' if the group no longer exists on system.
- ChangedValue - It shows the changed value when the target account attributes or UAC has been changed, such as when the user's password expiration settings has been changed to 'Never'.
To work with it, simply run the script without any parameters.
.\Get_Account_Audit_Events.ps1
To display in table format in console, use the following command.
.\Get_Account_Audit_Events.ps1 | Format-Table -auto
To export the result to csv file, use the following command.
.\Get_Account_Audit_Events.ps1 |Exportto-Csv -Notypeinfo Users_Account_Audit_Events.csv
Following is the illustration on my testing computer.
