Track Add/Remove on Local Administrators Group on Windows Servers


We constantly get complaints from application owners that certain domain account/groups are either added or removed from the Local Administrator groups on their servers.  Is there any way to capture an event like this in the event log?  If not, does anyone know of a tool in the community that can help with this issue?  Thanks.
Who is Participating?
Techop09Author Commented:
Thanks, but I'm not looking to audit AD groups.  I'm looking to audit the Local Administrators group on a particular server, or group of servers.  Any ideas on how to do that?
Not sure if this will help you out, as it is a static tool that just queries the local admins group, but you could write a script to run it once a day or so, and export group membership to a file.

Tested, does what it says.

P.S. If your server installation is in a language other than English, the local admins group may be named in the installation language (e.g. in French it's "Administrateurs") Make sure to change the default group name in the Options.
vibhuti dhimanCommented:
Is there a way to determine who made the change ? Like addition/removal to the local admin group of the server ? event IDS - 636,637 seem to audit active directory group changes not local group changes..
vibhuti dhimanCommented:
Never mind , i got it , thanks ! Event Ids - 4732 and 4733
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.