We help IT Professionals succeed at work.

can I find out who or when someone was added to a particular group in active directory 2008r2/

We had an incident where a user was apparently added to an active directory group, she logged in, then her login script mapped her to Shared Drives she was not supposed to have access to. By the time the incident was reported to me, I checked her groups and did not see anything unusual so I had her log out and back in. Her drives vanished as they should have. The question now is, how did it happen. Is there a way or something I can find in the Event Viewer to explain who added her or when she was added to these active directory groups?
Comment
Watch Question

Only if “Audit account management” is set to both "Success" and "Failure" on the domain controller in the Audit policy (which is not always the case).

If it is set to Success, then there should be event IDs for "4728      A member was added to a security-enabled global group."

There is also "4729      A member was removed from a security-enabled global group."

Full list of event ids: http://support.microsoft.com/kb/947226
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
If you have multiple domain controllers this task can be pretty tedious process looking through logs. Also having Auditing Enabled will usually overwrite quickly. I would suggest the following, increase the Security Logs on each domain controller to 1GB. I would then also recommend using the Lepide Auditor for Active Directory. This provides a web based interface and provides many reports to get all of the information from the Logs from all domain controllers.

For this to work as well you will still need to enable Auditing on the default domain controllers policy.

http://www.lepide.com/lepideauditor/active-directory.html

Will.
Michael OrtegaSales & Systems Engineer

Commented:
ManageEngine AD Audit is great for this. It's free for small environments and there is a demo if you want to try it out.

MO

Author

Commented:
ok, thanks I doubt the auditing is turned on. I recall from a previous job that caused space issues. The issue now is where do I browse to verify? I am on the DC and in Group Policy Manager, where to I go to verify if this is turned on or off? I just need to make a screen shot I can show the executives
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
You need to open Group Policy Management Console and check the "Default Domain Controllers Policy". See below link for complete details, on how to set this up.
https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

I recall from a previous job that caused space issues.
This should not be an issues. All you need to do is set the logs to "overwrite as needed" This setting will overwrite the oldest log. This is why i mentioned setting the logs to 1GB.

If you leave the defaults they will overwrite within minutes when the auditing policy is enabled.
Once you have increased the log size this will give you adequate time to move the logs off the server to another location where you can start going through them.

This is where lepide Audit for Active Directory comes in to play. The logs are then referenced on another server where they won't get overwritten and you can view all of the details via Web GUI.

Will.