Solved

Security settings for groups

Posted on 2014-07-31
5
95 Views
Last Modified: 2014-08-01
Hello,

I am having some issues with security settings for groups in Active Directory. When I remove users from the security of a group (e.g. change so that only domain admins can change security settings for a spesific group) the settings are overwritten within few minutes. The inheritance have been moved so this might be a script running every once in a while which overrides my changes.
What are my options to find out which account is making this changes? what event id is written when a user makes changes to the security of a group?

Thanks in advance
0
Comment
Question by:Skyggna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40232356
The event id's for a change in a group are:
Local Domain - 4737 (or 641 on older systems)
Global - 4735 (or 639 on older systems)
Universal - 4755 (or 659 on older systems)

Of course, you'll need to have auditing enabled on the domain controllers and the appropriate auditing policy defined.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40232749
0
 

Author Closing Comment

by:Skyggna
ID: 40233606
Thank you Razmus,
Thought this event only was for adding of users or removal of users (my bad), I will give it a try.

Best regards.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40233897
Adding and removing users would be:
                              Add    Remove
Domain Local -   4732     4733
Global -                4728     4729
Universal -           4756     4757

Full disclosure... I have a copy of a quick reference guide for the common security event ids and kerberos codes, which has helped me in the past when querying my SCOM ACS database.  (And be aware, that link will want to collect your email address to get a copy...)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40233922
No feedback on mine...nice. I advise you to read it, it could very well be the reason.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question