AD User Creation/Modifying logging

I just found a user account added to the Domain Admins domain group. Is there a way to find out when or who added this account to the Domain Admins group?

Using Windows Server 2003 AD.

OdyChrisAsked:
Who is Participating?
 
GWNet-workingConnect With a Mentor Commented:
If you have auditing enabled you may be able to find out who added them using the security log.
0
 
losipConnect With a Mentor Commented:
Yes, look for event ID: 632 in the Security log which is for members being added to a global group.  Also look for event ID: 612 which is a change to the vents that are audited, in case the perpetrator stopped auditing, then added the user to the Domain Admins.

Please say you have auditing enabled!
0
 
Mike KlineConnect With a Mentor Commented:
If you do have auditing enabled look for event 632 in the security logs, more information and screenshots in a previous question I helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24687104.html

The one thing you do know is that it has to be someone with elevated rights (another domain admin) or someone that has been delegated the right to add members to the DA group.

Thanks

Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.