Link to home
Start Free TrialLog in
Avatar of Christian Hans
Christian HansFlag for United States of America

asked on

AD - Domain Admins Group - Track changes

Is there a way to find out who or when a "service account" or "user account" was added to the "Domain Admins" Security Group?

I need to track who on my dept added an account to it and track down what the need/purpose was...

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
FYI - Shaun's answer requires Server 2012 R2 to work. Previous versions of AD Powershell don't include that cmdlet. You may be able to view the replication metadata in earlier versions, but you'll need a more complex script.

Also, without being able to do that, you would not be able to view privileged account changes without auditing enabled and configured in AD to track directory changes. It's not set up by default, so open ADUC in the Advanced View, right click the group, go to properties, select the Security Tab, go to advanced, and then check the Auditing tab. If nothing is shown there, you can't view auditing data because it isn't being recorded. This is also the case if the auditing logs are not large enough to record data going back far enough.
Just install Powershell v5