How to search for deleted memberships of a group in Active Directory

Tracking deleted group memberships in Active Directory (AD) is difficult without proper auditing. When users lose resource access, it's often because they were removed from a group without a clear record. The Active Directory Recycle Bin only restores deleted objects, not deleted memberships. To find deleted group memberships, you need to examine the group's object metadata. One method involves using the `repadmin /showobjmeta` command to extract all metadata for a specific group. This output will distinguish between users still present and those marked as absent. Alternatively, PowerShell's `Get-ADReplicationAttributeMetadata` cmdlet can retrieve this information. By looking at the "LastOriginatingDeleteTime" attribute, you can identify deleted users. A valid deletion date signifies a user was removed from the group. An impossible date, like 12/31/1600, indicates the user is still a member.