• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 600
  • Last Modified:

Active Directory Security Group Audit

Greetings!

I do not currently have any A.D. auditing tools in place. A security group was added to the Domain Admins security group and I am needing to find out how it was added. Is there an event in the event log I can check or an A.D. log to check this?
0
Schuyler Dorsey
Asked:
Schuyler Dorsey
2 Solutions
 
Netman66Commented:
Check the Security log on a DC.  There should be an event shown there that is related.
0
 
Schuyler DorseyAuthor Commented:
Thanks. Do you happen to know event codes or anything?
0
 
Schuyler DorseyAuthor Commented:
I found 4728: A member was added to a security-enabled global group.

But this seems to list individual accounts added, not security groups added to security groups.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Schuyler DorseyAuthor Commented:
Nevermind. 4728 shows the sec groups being added but I don't see an entry for the one needed. I am guessing it was done long enough ago the events were overwritten.
0
 
Netman66Commented:
Sorry, using my phone to answer.  It may have been overwritten as default log size is 4Mb.
0
 
MaheshArchitectCommented:
You need to setup audit account management, audit directory service and audit privilege use for success and failure in default domain controller policy under audit policy if you wanted to track these kind of events
Also you need to increase security events log size on domain controllers and save them on regular basis , other wise those logs will wipe out as required

Also one more thing towards your issue

Please how many accounts are member of domain admins and built-in administrators group in active directory
Some one who has membership of these groups only can add \ remove new accounts \ groups in domain admins \ enterprise admins and built-in administrators

You need to remove unwanted accounts from these well known high privileged groups other wise one can modify AD and also can cleanup security events as well

Please check how to setup auditing on Domain controllers
http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx
http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Mahesh.
0
 
McKnifeCommented:
And to find out the event ID: simply add a test account/group and see what gets logged.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now