?
Solved

Security settings for groups

Posted on 2014-07-31
5
Medium Priority
?
97 Views
Last Modified: 2014-08-01
Hello,

I am having some issues with security settings for groups in Active Directory. When I remove users from the security of a group (e.g. change so that only domain admins can change security settings for a spesific group) the settings are overwritten within few minutes. The inheritance have been moved so this might be a script running every once in a while which overrides my changes.
What are my options to find out which account is making this changes? what event id is written when a user makes changes to the security of a group?

Thanks in advance
0
Comment
Question by:Skyggna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 40232356
The event id's for a change in a group are:
Local Domain - 4737 (or 641 on older systems)
Global - 4735 (or 639 on older systems)
Universal - 4755 (or 659 on older systems)

Of course, you'll need to have auditing enabled on the domain controllers and the appropriate auditing policy defined.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40232749
0
 

Author Closing Comment

by:Skyggna
ID: 40233606
Thank you Razmus,
Thought this event only was for adding of users or removal of users (my bad), I will give it a try.

Best regards.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40233897
Adding and removing users would be:
                              Add    Remove
Domain Local -   4732     4733
Global -                4728     4729
Universal -           4756     4757

Full disclosure... I have a copy of a quick reference guide for the common security event ids and kerberos codes, which has helped me in the past when querying my SCOM ACS database.  (And be aware, that link will want to collect your email address to get a copy...)
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40233922
No feedback on mine...nice. I advise you to read it, it could very well be the reason.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question