Change History Group Membership List

Hello, this unfortunately doesn't sound like normal behavior. I suggest contacting Active Roles support and opening a case.

Let me attest ... we see this, and I hate this issue with an intense red-hot passion.  I only use the web interface to view change history when I have to - for the before and after values of a changed attribute...  visiting in the web .... - its endless scrolling just to find the next operation to get past listings of almost every member of the group after a single member is added or removed.   A shortcut to find a specific value on a page is [ctrl]-[f] and type a search term for the operation to search for - and then click next, and next and next - because each measured page of values could be superfluous regurgitations of group members.   Make it stop.

other than that - I really like ARS.

Have you tried parsing the replication attributes about the group ? It may contain the info you are looking for

Hey Glenn - not looking to hijack mPembas thread - but - <confession> so very not a SQL guy.  That would require querying SQL external to ARS ...
I did find a quest tech had posted a promising script 4 years ago - that would pull the info from SQL on Github (link below)  - but I have not yet checked to see if it works for me
He is - or at least was - a Quest/One Identity guru from years past.

https://github.com/nickdollimount/Get-QAROldValues

piggy backing off of mpemba post - ARS utilities like the web and the command get-qarsoperation - needs a refresh to allow things like pulling the old value if we want to see it via the get-qarsoperation commandlet (PERIOD) ... and that web version of change history - needs to truncate memberOf  of changes.   

if it is an anomoly - that isn't what others see, when a member is added or removed from a group - then I'll open an SR after the holiday to pursue.

I am in the same boat with mpemba

For my own view of seeing the data summary (I have not at all attempted to be altering what gets stored in AR change history) I separately do some querying of native AD (although AR could be an option to get similar data if that would work getter) using 

https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adreplicationattributemetadata?view=windowsserver2022-ps

I include the version property of each attribute entry to understand how many times this attribute has changed. If you are looking at at a group - version 1 means object has been added. If its even then each time it has been added it has also been removed.

If I was using AR to investigate attribute changes on objects I'd be using the AR mgmt shell and not any SQL connections. I may have missed mpemba intent on the original post.

If its about the storage of this data in MH db, or the views of it - that is also a part of AR I struggle with if what I want is not close to the first entries on an object. Where's there a bit of paging / searching to find something it is painful.

I wonder, would folks be willing to allow for growth of the configuration database if one could store group membership changes in a multi-value virtual property on the group?  I'm thinking something like this:

<MYDOM\JSmith><added><11/10/2022 09:30>
<MYDOM\BJones><added><11/10/2022 14:10>
<MYDOM\SPatel><removed><11/10/2022 16:04>

....or (better?)

A change workflow and/or policy script could be used to trap these and write additional information resembling the above into the change history.  This specific member add / remove information would be stored in the "Operation reason"  field of the change history item.  So, you would still get that unwanted information we have now but you could look at the Operation Reason field to find the detail you really want.

Oh, OK. That is good news. I probably did something dumb to make this happen. I will open a ticket. Thank you.