How to search for deleted memberships of a group in Active Directory

Have you ever seen a user suddenly lose access to a resource, only to discover they were removed from a group—but with no record of when or how it happened? Tracking deleted group memberships in Active Directory (AD) can be challenging, especially when auditing is not enabled or the logs don’t capture which users were removed. If someone deletes multiple memberships from a Security Group, the Active Directory Recycle Bin won’t help, since it only retains deleted objects—not the details of which accounts were stripped from the group.

In other to obtain a list of the user's memberships that were deleted, you will need to look for them on the Group's object metadata. There are 2 methods: 

With the repadmin object metadata: 

You can run the command repadmin /showobjtmeta * <DN OF THE GROUP> for example: repadmin /showobjmeta * "CN=Test Group,OU=Users,OU=Test OU,OU=Contoso,DC=Contoso,DC=com" > TestGroup.txt 

This will give you all the object's metadata, and we can look at the "Member" attribute: 

The ones under "Present" are the users that are still part of the group. And the ones under "Absent" are the ones that have been removed. 

Using the Get-ADReplicationAttributeMetadata command in PowerShell: 

You can use the Get-ADReplicationAttributeMetadata command in PowerShell with the following parameters to obtain all the "LastOriginating-DeleteTime" value, which will show you all the deleted users based on their deletion date and time. 

get-ADReplicationAttributeMetadata 'DN OF THE GROUP' -Server <SERVER WHERE THE LAST CHANGE WAS DETECTED> -ShowAllLinkedValues | Select-Object LastOriginatingDeleteTime, attributevalue 

When reviewing group membership, the presence of a valid date indicates that the user was deleted from the group. For example, the Test-Deletion account shows an actual deletion date, confirming it was removed. In contrast, if the metadata displays an impossible value such as 12/31/1600, it means no deletion date exists. This is the case for the Test User account, which shows the impossible date, signaling that the user is still part of the group and has not been removed.