How to get basic audit report about RMAD restores using PowerShell

Recently I have been asked about audit reports in Recovery Manager for Active Directory. How can we get all restores for last 5 days?

Let's check how we can do this.

If you have some specific product for audit like Quest Change Auditor, most probably you wouldn't need any reports in RMAD itself.

As for Recovery Manager for Active Directory, it has some kind of audit report, hidden in Online Restore Wizard, but it is not customizable.

So it looks that PowerShell can be our "swiss army knife" for this case.

RMAD puts all events into Application Log.

These events can be accessed with Get-EventLog cmdlets. Firstly, we can try to get all RMAD events.

Get-EventLog Application –Source "Recovery Manager fo AD"


After that we can try to get only restores for the required time interval. We can find in RMAD help that for each restore operation RMAD produces event 1561 in Windows application event log.

Get-EventLog Application –Source "Recovery Manager fo AD" –after (Get-Date).AddDays(-5)|where {$_.EventID –eq 1561}| fl

We can also export this to file with Out-File cmdlet.