Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD security group memberships changes

Posted on 2016-09-26
7
Medium Priority
?
35 Views
Last Modified: 2016-10-16
would there be any default logs or techniques (e.g. powershell commands), to identify when a user was added to the membership of an AD security group - and the date the user was added? We need to pick a sample of users who have recently been granted access to existing security groups to ensure it was properly authorised.
0
Comment
Question by:pma111
  • 4
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:yo_bee
yo_bee earned 1000 total points (awarded by participants)
ID: 41815809
In Group Policy there are options to enable Directory Services
Here is a link how to set it up.
https://technet.microsoft.com/en-us/library/dd277403.aspx
0
 
LVL 40

Accepted Solution

by:
Subsun earned 1000 total points (awarded by participants)
ID: 41815845
If you have already enabled active directory auditing then you can look in event logs on domain controllers, to find the events. Else it's not possible. If you enable the Auditing, the logs can capture events from when it's enabled.
Ref :
Audit Security Group Management
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
AD DS Auditing Step-by-Step Guide
  https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
1
 
LVL 3

Author Comment

by:pma111
ID: 41815973
Hi subsun - where can you check if AD auditing has been enabled or not - and where by default would these logs reside?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 1000 total points (awarded by participants)
ID: 41815981
In the Default Domain Controller Policy,  
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Check Audit Directory Services Access, Audit Account Management etc..

If the auditing is not enabled then you will see 'No Auditing', If it's enabled then you can see 'Success, Failure'

You can open the Security Log to view logged events.
0
 
LVL 3

Author Comment

by:pma111
ID: 41816022
thanks.

By security log, do you just mean the default windows security log, i.e.

%SystemRoot%\System32\Winevt\Logs\Security.evtx
0
 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 1000 total points (awarded by participants)
ID: 41816031
Yes.. you can access, eventvwr > Windows Logs > Security
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41845503
Expert comments have answered the queries. The question can be closed if @pma111 doesn't have any objections.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question