Someone removed a user from a group, we´re tryingo to track down, who made it
I´m using:
get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729} | Export-Csv -Path c:\temp\SERVERNAME_4729.log -NoTypeInformation
or
get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729}
The DC have 4 GB of RAM, 4 vCPUs in a Dell PE R420 with SAS 15K disks, it´s very fast hardware/response time
The DC have more than 955.000 events in the last 15 days, 512 MB file size for the .EVTX
The search takes more than 45 minutes to finish
It´s acceptable? I have the felling that this procedure will take no more than 5 minutes to do the search and grab the results