![]() ![]() That might be a problem if we need to track down the user who changed the group membership. Note 3: If the change was initiated from a code block with impersonation / elevated permissions, the log entry contains the ID of the impersonated identity, and not the ID of the initiator user. In the first case the userId node contains the user ID, whereas in the second case the same information can be found in the user node. Note 2: the format of EventData is different at events SecGroupMemberAdd / SecGroupMemberDel. The goal of this method is to filter the audit log entries for the user performed the action. Note 1: We cannot use the RestrictToUser method of the SPAuditQuery object to filter the results for the user affected by the change. I try to resolve the user and group based on their ID (using the GetItemById method), however they might have been deleted since the change, so I included try blocks to be prepared for the possible exceptions. ![]() The EventData of the log entries contains the IDs of the affected users and groups. $eventType = ::SecGroupMemberAddÄumpEvents $site $searchPattern $startDate $eventType "Added to" $eventType = ::SecGroupMemberDelÄumpEvents $site $searchPattern $startDate $eventType "Deleted from" Write-Host Changes in group membership of $loginName since $startDate I used the following PowerShell script to find the required information: Recently I had to filter the SharePoint audit log for membership changes of a specific user to answer the question, when the user has been added to / deleted from any groups and who has performed the action.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |