Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Security settings for groups

Posted on 2014-07-31
5
Medium Priority
?
102 Views
Last Modified: 2014-08-01
Hello,

I am having some issues with security settings for groups in Active Directory. When I remove users from the security of a group (e.g. change so that only domain admins can change security settings for a spesific group) the settings are overwritten within few minutes. The inheritance have been moved so this might be a script running every once in a while which overrides my changes.
What are my options to find out which account is making this changes? what event id is written when a user makes changes to the security of a group?

Thanks in advance
0
Comment
Question by:Skyggna
  • 2
  • 2
5 Comments
 
LVL 31

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 40232356
The event id's for a change in a group are:
Local Domain - 4737 (or 641 on older systems)
Global - 4735 (or 639 on older systems)
Universal - 4755 (or 659 on older systems)

Of course, you'll need to have auditing enabled on the domain controllers and the appropriate auditing policy defined.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40232749
0
 

Author Closing Comment

by:Skyggna
ID: 40233606
Thank you Razmus,
Thought this event only was for adding of users or removal of users (my bad), I will give it a try.

Best regards.
0
 
LVL 31

Expert Comment

by:Rich Weissler
ID: 40233897
Adding and removing users would be:
                              Add    Remove
Domain Local -   4732     4733
Global -                4728     4729
Universal -           4756     4757

Full disclosure... I have a copy of a quick reference guide for the common security event ids and kerberos codes, which has helped me in the past when querying my SCOM ACS database.  (And be aware, that link will want to collect your email address to get a copy...)
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40233922
No feedback on mine...nice. I advise you to read it, it could very well be the reason.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question