Domenic DiPasquale
asked on
Tracking changes made within active directory.
I seem to have an employee that's making changes to security groups within active directory that were not permitted. Is it possible to track changes made with event viewer? Ideally what was changed, by who, and at this date and time. Any suggestions? Thank you for your time.
ASKER
Thank you Sean. I'll try using the script within the link at some point. I've also found an article for setting up auditing AD DS.
https://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
https://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Remember you need to set up success audit for that (failure audit should also be used).
See this link for best practices.
See this link for best practices.
Check this article which explain how to track changes made in Active Directory:
https://www.lepide.com/how-to/track-changes-in-active-directory.html
You may also get help from auditing solutions like Lepide and Manageengine to track such changes and monitor their day-to-day activities.
Hope this helps!
https://www.lepide.com/how-to/track-changes-in-active-directory.html
You may also get help from auditing solutions like Lepide and Manageengine to track such changes and monitor their day-to-day activities.
Hope this helps!
ASKER
I've setup the scripts to alert of when changes are made to the security groups in question. I've also configured Auditing for AD DS. Thank you for your help.
https://gallery.technet.microsoft.com/scriptcenter/bfa06e91-a6d0-4d41-ab6d-eb7fd19c1704
It will email you every time a group membership is changed and should get you the information you are looking for. I would setup a scheduled task to run it every 15 min or so.
Otherwise you would be looking at getting some type of 3rd party software to track and log this information without having to go through the event logs on your own. be sure this script is running on every DC.