Recently I posted a sample PowerShell script that illustrates how to query the SharePoint audit log for membership changes of a specific user. This time I show the same thing from another perspective. Using the script below you can follow the membership changes of a specific group: track users added to / removed from the group.
$site = Get-SPSite("http://yourserver.com")
$startDate = Get-Date "1/1/2013 7:00 AM"
$groupName = "YourGroupName"
$groupId = $site.RootWeb.SiteGroups[$groupName].ID
$searchPattern = "*<groupid>$groupId</groupid>*"
function DumpEvents($site, $searchPattern, $startDate, $eventType, $eventName) {
$usersList = $site.RootWeb.SiteUserInfoList
$query = New-Object Microsoft.SharePoint.SPAuditQuery($site)
$query.AddEventRestriction($eventType)
$query.SetRangeStart($startDate)
$site.Audit.GetEntries($query) | ? { $_.EventData -like $searchPattern }| % {
[xml]$eventData = "<eventData>" + $_.EventData + "</eventData>"
$filter = if ($_.EventType -eq [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberAdd) { "//userid" } else { "//user" }
$targetUserId = $eventData.SelectSingleNode($filter).InnerText
$targetUserName = $targetUserId
try { $targetUserName = $usersList.GetItemById($targetUserId).Name } catch { }
$userName = $_.UserId
try { $userName = $usersList.GetItemById($_.UserId)["Name"] } catch { }
Write-Host "User" $targetUserName $eventName "on" $_.Occurred "by" $userName
}
}
Write-Host Changes in group membership of $groupName since $startDate
Write-Host ————————————————–
$eventType = [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberDel
DumpEvents $site $searchPattern $startDate $eventType "deleted"
Write-Host ————————————————–
$eventType = [Microsoft.SharePoint.SPAuditEventType]::SecGroupMemberAdd
DumpEvents $site $searchPattern $startDate $eventType "added"
