Auditing recent changes in Active Directory is essential for troubleshooting, security reviews, and general hygiene. While AD doesn’t keep a simple “change history,” we can query attributes like whenChanged to see what objects were modified recently.
This post shows a clean PowerShell script you can run to list AD changes from the past 7 days.
What this script does
- Queries Active Directory for objects changed in the last 7 days
- Includes users, groups, computers, and OUs
- Shows:
- Object name
- Object type
- When it was changed
- Who changed it (when available)
- Outputs to screen and optionally to CSV
Requirements
- Run on a machine with RSAT / ActiveDirectory module
- Permissions to read AD objects
- PowerShell 5.1+ or PowerShell 7 (with AD module)
PowerShell Script: AD Changes – Last 7 Days
Import-Module ActiveDirectory
# Define time range
$DaysBack = 7
$SinceDate = (Get-Date).AddDays(-$DaysBack)
# Get recently changed AD objects
$ChangedObjects = Get-ADObject `
-Filter { whenChanged -ge $SinceDate } `
-Properties whenChanged, objectClass, name, distinguishedName, modifiedBy `
-ResultSetSize $null
# Select useful fields
$Results = $ChangedObjects | Select-Object `
Name,
objectClass,
whenChanged,
distinguishedName
# Display results
$Results | Sort-Object whenChanged -Descending | Format-Table -AutoSize
# Optional: export to CSV
$ExportPath = "C:\Temp\AD_Changes_Last_7_Days.csv"
$Results | Export-Csv -Path $ExportPath -NoTypeInformation
Write-Host "Exported results to $ExportPath"
Example Output
| Name | ObjectClass | WhenChanged |
|---|---|---|
| jsmith | user | 2025-12-20 14:32 |
| IT_Admins | group | 2025-12-19 09:11 |
| WS-023 | computer | 2025-12-18 16:44 |
Important Limitations (Know This)
This method:
- ✅ Shows what was changed
- ❌ Does not show which attribute changed
- ❌ Does not always show who made the change
That’s because:
- AD does not store per-attribute history by default
- “Who changed it” requires Advanced Auditing enabled before the change
Want More Detail? (Advanced)
If you need:
- Who changed what
- Exact attribute changes
- Before/after values
You must:
- Enable Directory Service Changes auditing
- Query Security Event Logs (Event ID 5136)
That’s a more advanced setup, but far more powerful.
Quick Tip
For ongoing monitoring, many admins:
- Run this script daily via Task Scheduler
- Compare CSVs day-over-day
- Or forward AD change events to a SIEM
Summary
If you just need a quick, reliable snapshot of AD activity from the last 7 days, this script is simple and effective. For compliance-grade auditing, pair it with Security Event Logs.