I want to keep an audit when I remove or add users from local groups. Is it possible to filter out which groups? If not, all local groups is fine.
You're basically looking for two events in the Security eventlog.
4732 A member was added to a security-enabled local group.4733 A member was removed from a security-enabled local group.When using the following commandline you get a new instance of the eventviewer filtered on those two events.
eventvwr /f:"<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID=4732 or EventID=4733)]]</Select></Query></QueryList>"
An other option is to use the WMIC tool from the commandline (make sure you are using an elevated commandprompt)
wmic ntevent where "LogFile='security' and (EventIdentifier=4732 or EventIdentifier=4733)"
Do notice that this uses Win32_NTLogEvent internally and I had to use the /trace:on switch to figure out the correct syntax for the where clause.
Use the optional /record:filename.xml to store the results in an xml file or simply redirect the output to a csv file.
One other option you have is to use powershell:
get-eventlog -logname security | where {$_.InstanceId -eq 4732 -or $_.InstanceId -eq 4733}
Last one I povide is by writing a small c# program that uses the EventLog class
var list = new EventLog { Log = "Security" }
.Entries
.Cast<EventLogEntry>()
.Where(evl => evl.InstanceId == 4732 || evl.InstanceId == 4733)
.Select(cv => cv.Message);
foreach (var msg in list)
{
Console.WriteLine(msg);
}
Take your pick