Solved

AD security group memberships changes

Posted on 2016-09-26
7
23 Views
Last Modified: 2016-10-16
would there be any default logs or techniques (e.g. powershell commands), to identify when a user was added to the membership of an AD security group - and the date the user was added? We need to pick a sample of users who have recently been granted access to existing security groups to ensure it was properly authorised.
0
Comment
Question by:pma111
  • 4
  • 2
7 Comments
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 250 total points (awarded by participants)
Comment Utility
In Group Policy there are options to enable Directory Services
Here is a link how to set it up.
https://technet.microsoft.com/en-us/library/dd277403.aspx
0
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points (awarded by participants)
Comment Utility
If you have already enabled active directory auditing then you can look in event logs on domain controllers, to find the events. Else it's not possible. If you enable the Auditing, the logs can capture events from when it's enabled.
Ref :
Audit Security Group Management
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
AD DS Auditing Step-by-Step Guide
  https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
1
 
LVL 3

Author Comment

by:pma111
Comment Utility
Hi subsun - where can you check if AD auditing has been enabled or not - and where by default would these logs reside?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
Comment Utility
In the Default Domain Controller Policy,  
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Check Audit Directory Services Access, Audit Account Management etc..

If the auditing is not enabled then you will see 'No Auditing', If it's enabled then you can see 'Success, Failure'

You can open the Security Log to view logged events.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
thanks.

By security log, do you just mean the default windows security log, i.e.

%SystemRoot%\System32\Winevt\Logs\Security.evtx
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
Comment Utility
Yes.. you can access, eventvwr > Windows Logs > Security
0
 
LVL 40

Expert Comment

by:Subsun
Comment Utility
Expert comments have answered the queries. The question can be closed if @pma111 doesn't have any objections.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now