Second Life of a Hungarian SharePoint Geek

July 15, 2013

Querying the SharePoint audit log for membership changes of a specific Group

Filed under: Audit log, PowerShell, SP 2010 — Tags: , , — Peter Holpar @ 21:33

Recently I posted a sample PowerShell script that illustrates how to query the SharePoint audit log for membership changes of a specific user. This time I show the same thing from another perspective. Using the script below you can follow the membership changes of a specific group: track users added to / removed from the group.

$site = Get-SPSite("http://yourserver.com")

$startDate = Get-Date "1/1/2013 7:00 AM"
$groupName = "YourGroupName"
$groupId = $site.RootWeb.SiteGroups[$groupName].ID
$searchPattern = "*<groupid>$groupId</groupid>*"

function DumpEvents($site, $searchPattern, $startDate, $eventType, $eventName) { 
  $usersList = $site.RootWeb.SiteUserInfoList 

  $query = New-Object Microsoft.SharePoint.SPAuditQuery($site)
  $query.AddEventRestriction($eventType)
  $query.SetRangeStart($startDate)
  $site.Audit.GetEntries($query) | ? { $_.EventData -like $searchPattern }| % {
   [xml]$eventData = "<eventData>" + $_.EventData + "</eventData>"
   $filter = if ($_.EventType -eq [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberAdd) { "//userid" } else { "//user" }
   $targetUserId = $eventData.SelectSingleNode($filter).InnerText 
   $targetUserName = $targetUserId 
   try { $targetUserName = $usersList.GetItemById($targetUserId).Name } catch { }
   $userName = $_.UserId
   try { $userName  = $usersList.GetItemById($_.UserId)["Name"] } catch { }
   Write-Host "User"  $targetUserName $eventName "on" $_.Occurred "by" $userName
  }
}

Write-Host Changes in group membership of $groupName since $startDate
Write-Host ————————————————–

$eventType = [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberDel
DumpEvents $site $searchPattern $startDate $eventType "deleted"

Write-Host ————————————————–

$eventType = [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberAdd
DumpEvents $site $searchPattern $startDate $eventType "added"

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: