AD security group memberships changes

would there be any default logs or techniques (e.g. powershell commands), to identify when a user was added to the membership of an AD security group - and the date the user was added? We need to pick a sample of users who have recently been granted access to existing security groups to ensure it was properly authorised.
LVL 3
pma111Asked:
Who is Participating?
 
SubsunCommented:
If you have already enabled active directory auditing then you can look in event logs on domain controllers, to find the events. Else it's not possible. If you enable the Auditing, the logs can capture events from when it's enabled.
Ref :
Audit Security Group Management
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
AD DS Auditing Step-by-Step Guide
  https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
1
 
yo_beeDirector of Information TechnologyCommented:
In Group Policy there are options to enable Directory Services
Here is a link how to set it up.
https://technet.microsoft.com/en-us/library/dd277403.aspx
0
 
pma111Author Commented:
Hi subsun - where can you check if AD auditing has been enabled or not - and where by default would these logs reside?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
SubsunCommented:
In the Default Domain Controller Policy,  
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Check Audit Directory Services Access, Audit Account Management etc..

If the auditing is not enabled then you will see 'No Auditing', If it's enabled then you can see 'Success, Failure'

You can open the Security Log to view logged events.
0
 
pma111Author Commented:
thanks.

By security log, do you just mean the default windows security log, i.e.

%SystemRoot%\System32\Winevt\Logs\Security.evtx
0
 
SubsunCommented:
Yes.. you can access, eventvwr > Windows Logs > Security
0
 
SubsunCommented:
Expert comments have answered the queries. The question can be closed if @pma111 doesn't have any objections.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.