AD - Domain Admins Group - Track changes

Christian Hans
Christian Hans used Ask the Experts™
on
Is there a way to find out who or when a "service account" or "user account" was added to the "Domain Admins" Security Group?

I need to track who on my dept added an account to it and track down what the need/purpose was...

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
PowerShell Developer
Top Expert 2010
Commented:
Yes, if you have auditing enabled. You'll need to be logging changes to the member attribute to the event logs on your DCs.

Obligatory link:

https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Do you have that enabled already?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
FYI - Shaun's answer requires Server 2012 R2 to work. Previous versions of AD Powershell don't include that cmdlet. You may be able to view the replication metadata in earlier versions, but you'll need a more complex script.

Also, without being able to do that, you would not be able to view privileged account changes without auditing enabled and configured in AD to track directory changes. It's not set up by default, so open ADUC in the Advanced View, right click the group, go to properties, select the Security Tab, go to advanced, and then check the Auditing tab. If nothing is shown there, you can't view auditing data because it isn't being recorded. This is also the case if the auditing logs are not large enough to record data going back far enough.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Just install Powershell v5

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial