Active Directory Monitring.


Please is there any power shell script or command can find on AD security group who has add as member and who made the changes. I have recently join an org over 4k employees, and managing  the infrastructure.
how I can enable the AD security logs for future  for analyses. any command to find the bad DHCP IP address.


Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gpo enable auditing if not already, it will record the event in the security event viewer on the DCs

Not sure what you mean about bad DHCP ip.
You mean a rogue DHCP server on the network?
Broadcasting a dhcpdiscovery and then looking at the responses ....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:

Yes your right rogue DHCP IP address and DHCP flooding event log with no IP Scope event 1363 10200 as well.

I am keen any power shell script to find out who made changes in security group. getting pressure from Head of IT to answer his query.

Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:
event log is full of EVENT ID 1363 and 1020 what is the best practice to find out the solution, because there are almost 50 Scopes has been active with in DHCP, the reason we have more then 100 distribution.

Please advice.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

first make sure the auditing is enabled on the default domain policy. Then Scan through the group memberships mapping users who have rights.
then you may have to scan through the delegated rights to see whether there are groups to whom those rights are delegated..

If auditing was not enabled it and if there are multiple people who have access to a single administrative login, asking it the only way to know, or talk to the user who was granted those rights to see with whom they spoke about an issue that lead to the granting of the rights.......
Basically you're only going to only be able to look forward without audit logs. Arnold addressed that in his comments.

Enable logging and decide whether you want to go with PowerShell or a tool like AdAudit Plus. Might even look into SIEM for broader purposes.
Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:
Thanks provided info from all participate is really helpful.  i am working on it now.
Sara TeasdaleCommented:
I would suggest the Active Directory Monitoring Software which monitor the state of their AD including replication, user lockouts etc.  Please checkout the below link.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.