We had an incident where a user was apparently added to an active directory group, she logged in, then her login script mapped her to Shared Drives she was not supposed to have access to. By the time the incident was reported to me, I checked her groups and did not see anything unusual so I had her log out and back in. Her drives vanished as they should have. The question now is, how did it happen. Is there a way or something I can find in the Event Viewer to explain who added her or when she was added to these active directory groups?