Solved

AD security group memberships changes

Posted on 2016-09-26
7
25 Views
Last Modified: 2016-10-16
would there be any default logs or techniques (e.g. powershell commands), to identify when a user was added to the membership of an AD security group - and the date the user was added? We need to pick a sample of users who have recently been granted access to existing security groups to ensure it was properly authorised.
0
Comment
Question by:pma111
  • 4
  • 2
7 Comments
 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 250 total points (awarded by participants)
ID: 41815809
In Group Policy there are options to enable Directory Services
Here is a link how to set it up.
https://technet.microsoft.com/en-us/library/dd277403.aspx
0
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points (awarded by participants)
ID: 41815845
If you have already enabled active directory auditing then you can look in event logs on domain controllers, to find the events. Else it's not possible. If you enable the Auditing, the logs can capture events from when it's enabled.
Ref :
Audit Security Group Management
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
AD DS Auditing Step-by-Step Guide
  https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
1
 
LVL 3

Author Comment

by:pma111
ID: 41815973
Hi subsun - where can you check if AD auditing has been enabled or not - and where by default would these logs reside?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
ID: 41815981
In the Default Domain Controller Policy,  
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Check Audit Directory Services Access, Audit Account Management etc..

If the auditing is not enabled then you will see 'No Auditing', If it's enabled then you can see 'Success, Failure'

You can open the Security Log to view logged events.
0
 
LVL 3

Author Comment

by:pma111
ID: 41816022
thanks.

By security log, do you just mean the default windows security log, i.e.

%SystemRoot%\System32\Winevt\Logs\Security.evtx
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
ID: 41816031
Yes.. you can access, eventvwr > Windows Logs > Security
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41845503
Expert comments have answered the queries. The question can be closed if @pma111 doesn't have any objections.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now