Solved

Active Directory Security Group Audit

Posted on 2014-04-04
7
549 Views
Last Modified: 2014-04-11
Greetings!

I do not currently have any A.D. auditing tools in place. A security group was added to the Domain Admins security group and I am needing to find out how it was added. Is there an event in the event log I can check or an A.D. log to check this?
0
Comment
Question by:Schuyler Dorsey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 39979466
Check the Security log on a DC.  There should be an event shown there that is related.
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39979468
Thanks. Do you happen to know event codes or anything?
0
 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39979471
I found 4728: A member was added to a security-enabled global group.

But this seems to list individual accounts added, not security groups added to security groups.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 10

Author Comment

by:Schuyler Dorsey
ID: 39979474
Nevermind. 4728 shows the sec groups being added but I don't see an entry for the one needed. I am guessing it was done long enough ago the events were overwritten.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39979504
Sorry, using my phone to answer.  It may have been overwritten as default log size is 4Mb.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39979737
You need to setup audit account management, audit directory service and audit privilege use for success and failure in default domain controller policy under audit policy if you wanted to track these kind of events
Also you need to increase security events log size on domain controllers and save them on regular basis , other wise those logs will wipe out as required

Also one more thing towards your issue

Please how many accounts are member of domain admins and built-in administrators group in active directory
Some one who has membership of these groups only can add \ remove new accounts \ groups in domain admins \ enterprise admins and built-in administrators

You need to remove unwanted accounts from these well known high privileged groups other wise one can modify AD and also can cleanup security events as well

Please check how to setup auditing on Domain controllers
http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx
http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Mahesh.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39980055
And to find out the event ID: simply add a test account/group and see what gets logged.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question