Solved

AD security group memberships changes

Posted on 2016-09-26
7
28 Views
Last Modified: 2016-10-16
would there be any default logs or techniques (e.g. powershell commands), to identify when a user was added to the membership of an AD security group - and the date the user was added? We need to pick a sample of users who have recently been granted access to existing security groups to ensure it was properly authorised.
0
Comment
Question by:pma111
  • 4
  • 2
7 Comments
 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 250 total points (awarded by participants)
ID: 41815809
In Group Policy there are options to enable Directory Services
Here is a link how to set it up.
https://technet.microsoft.com/en-us/library/dd277403.aspx
0
 
LVL 40

Accepted Solution

by:
Subsun earned 250 total points (awarded by participants)
ID: 41815845
If you have already enabled active directory auditing then you can look in event logs on domain controllers, to find the events. Else it's not possible. If you enable the Auditing, the logs can capture events from when it's enabled.
Ref :
Audit Security Group Management
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
AD DS Auditing Step-by-Step Guide
  https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
1
 
LVL 3

Author Comment

by:pma111
ID: 41815973
Hi subsun - where can you check if AD auditing has been enabled or not - and where by default would these logs reside?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
ID: 41815981
In the Default Domain Controller Policy,  
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Check Audit Directory Services Access, Audit Account Management etc..

If the auditing is not enabled then you will see 'No Auditing', If it's enabled then you can see 'Success, Failure'

You can open the Security Log to view logged events.
0
 
LVL 3

Author Comment

by:pma111
ID: 41816022
thanks.

By security log, do you just mean the default windows security log, i.e.

%SystemRoot%\System32\Winevt\Logs\Security.evtx
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points (awarded by participants)
ID: 41816031
Yes.. you can access, eventvwr > Windows Logs > Security
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41845503
Expert comments have answered the queries. The question can be closed if @pma111 doesn't have any objections.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question