Avatar of Christian Hans
Christian Hans
Flag for United States of America asked on

AD - Domain Admins Group - Track changes

Is there a way to find out who or when a "service account" or "user account" was added to the "Domain Admins" Security Group?

I need to track who on my dept added an account to it and track down what the need/purpose was...

Thanks
SecurityActive DirectoryPowershell

Avatar of undefined
Last Comment
Shaun Vermaak

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Chris Dent

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Shaun Vermaak

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Adam Brown

FYI - Shaun's answer requires Server 2012 R2 to work. Previous versions of AD Powershell don't include that cmdlet. You may be able to view the replication metadata in earlier versions, but you'll need a more complex script.

Also, without being able to do that, you would not be able to view privileged account changes without auditing enabled and configured in AD to track directory changes. It's not set up by default, so open ADUC in the Advanced View, right click the group, go to properties, select the Security Tab, go to advanced, and then check the Auditing tab. If nothing is shown there, you can't view auditing data because it isn't being recorded. This is also the case if the auditing logs are not large enough to record data going back far enough.
Shaun Vermaak

Just install Powershell v5
Your help has saved me hundreds of hours of internet surfing.
fblack61