can I find out who or when someone was added to a particular group in active directory 2008r2/

We had an incident where a user was apparently added to an active directory group, she logged in, then her login script mapped her to Shared Drives she was not supposed to have access to. By the time the incident was reported to me, I checked her groups and did not see anything unusual so I had her log out and back in. Her drives vanished as they should have. The question now is, how did it happen. Is there a way or something I can find in the Event Viewer to explain who added her or when she was added to these active directory groups?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew KellyCommented:
Only if “Audit account management” is set to both "Success" and "Failure" on the domain controller in the Audit policy (which is not always the case).

If it is set to Success, then there should be event IDs for "4728      A member was added to a security-enabled global group."

There is also "4729      A member was removed from a security-enabled global group."

Full list of event ids:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
If you have multiple domain controllers this task can be pretty tedious process looking through logs. Also having Auditing Enabled will usually overwrite quickly. I would suggest the following, increase the Security Logs on each domain controller to 1GB. I would then also recommend using the Lepide Auditor for Active Directory. This provides a web based interface and provides many reports to get all of the information from the Logs from all domain controllers.

For this to work as well you will still need to enable Auditing on the default domain controllers policy.

Michael OrtegaSales & Systems EngineerCommented:
ManageEngine AD Audit is great for this. It's free for small environments and there is a demo if you want to try it out.

Thor2923Author Commented:
ok, thanks I doubt the auditing is turned on. I recall from a previous job that caused space issues. The issue now is where do I browse to verify? I am on the DC and in Group Policy Manager, where to I go to verify if this is turned on or off? I just need to make a screen shot I can show the executives
Will SzymkowskiSenior Solution ArchitectCommented:
You need to open Group Policy Management Console and check the "Default Domain Controllers Policy". See below link for complete details, on how to set this up.

I recall from a previous job that caused space issues.
This should not be an issues. All you need to do is set the logs to "overwrite as needed" This setting will overwrite the oldest log. This is why i mentioned setting the logs to 1GB.

If you leave the defaults they will overwrite within minutes when the auditing policy is enabled.
Once you have increased the log size this will give you adequate time to move the logs off the server to another location where you can start going through them.

This is where lepide Audit for Active Directory comes in to play. The logs are then referenced on another server where they won't get overwritten and you can view all of the details via Web GUI.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.