We have 15 members in the 'Domain Admins' group.
Someone has been 'adding' certain regular network user accounts to the Domain Admin group.
No one will admit to doing it, but it has been going on for about a month (usually the same users getting added - no pattern to when).
We run AD with all Server 2003 and XP Pro workstations.
How do I identify who is making these changes?
I know the account names of the un-authorized users and authorized admins.
I can get access to the DC Event Logs.
All suggestions appreciated.