I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.

Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate individually, each link value has metadata you can use to determine when the user was added to the group. To look at the replication metadata for an object, you’ll need to provide the object’s distinguished name. In this case, I’m going to look at the group “Test Group” in my domain:

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=brianlab,DC=local"

The output of this command will vary, but, in my environment it looks like this:

13 entries.
Loc.USN                      Originating DSA       Org.USN   Org.Time/Date         Ver Attribute
=======                      ===============       ========= =============         === =========
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectClass
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  cn
686100                       TestSite\TEST-DC01    686100    2010-10-27 14:06:19    2  description
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  instanceType
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  whenCreated
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  nTSecurityDescriptor
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  name
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectSid
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  sAMAccountName
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  sAMAccountType
685899                       TestSite\TEST-DC01    685899    2010-10-25 12:56:19    1  sIDHistory
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  groupType
685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectCategory
3 entries.
Type     Attribute     Last Mod Time       Originating DSA     Loc.USN Org.USN Ver Distinguished Name
=======  ============  =============       =================   ======= ======= === =============================
ABSENT   member        2010-11-05 16:55:28 TestSite\TEST-DC01  749327  749327   2  CN=Brian Desmond,OU=Users,DC=brianlab,DC=local
PRESENT  member        2010-11-05 16:55:02 TestSite\TEST-DC01  749320  749320   1  CN=Test User 01,OU=Users,DC=brianlab,DC=local
PRESENT  member        2010-11-02 12:48:34 TestSite\TEST-DC01  730720  730720   1  CN=Doe\, John,OU=Users,DC=brianlab,DC=local

There are a couple key takeaways here. The first is that you can see the version numbers of each of the attributes. In this case, none of the attributes have been modified since the group was created, except for the description attribute. Description was updated once a couple days later. At the bottom of the output is the listing for each linked attribute. In this case I only have the member attribute populated, but, if for example the manager linked attribute was populated, it would be listed here as well. On 11/5, my user was removed from the group, and shortly before that, Test User 01 was added. On 11/2 John Doe was added. You can see that Test User 01 was added before I was removed since the USN for Test User 01’s link is a bit lower.