Pau Lo
asked on
AD and windows file server event logs.
is it possible (I presume it must be) to audit/capture in Active Directory each time a user is added to a security group, e.g. time, which admin added them as a member, and similarly, on a windows file server, each time the ACL changed for a directory on a certain drive, e.g a new access control entry was added to the access control list, permissions for an existing access control entry on the access control list were amended.
I need to check a) is this level of auditing possible without buying a 3rd party tool, does it pre-exist within windows/AD b) how can I check if it is enabled already, and where exactly are the logs written to for such occurrences if enabled, are there specific ID's for what I have listed above.
We have very strict rules around authorisation when someone requires access to some sensitive directories on a file server, and I am looking into ways access could be achieved, e.g. added to a group already with access, ACL directly amended.
Have I covered all bases here, or could there be other 'actions' that could grant users access to a directory on a file server?
I need to check a) is this level of auditing possible without buying a 3rd party tool, does it pre-exist within windows/AD b) how can I check if it is enabled already, and where exactly are the logs written to for such occurrences if enabled, are there specific ID's for what I have listed above.
We have very strict rules around authorisation when someone requires access to some sensitive directories on a file server, and I am looking into ways access could be achieved, e.g. added to a group already with access, ACL directly amended.
Have I covered all bases here, or could there be other 'actions' that could grant users access to a directory on a file server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What are the pre-reqs to run commands such as 'Get-ADGroupMemberDate'. I have the AD powershell module installed but it does not recognise Get-ADGroupMemberDate.
thanks
thanks
Before you call function you must load it to your PowerShell code editor (ISE, Visual Studio Code, etc).
Copy code from Script part, paste to your editor and run.
Right after that you can use command Get-ADGroupMemberDate -Group “GroupName”.
http://techgenix.com/active-directory-group-membership/
https://learn-powershell.net/2013/05/21/find-when-a-user-was-added-or-removed-to-a-domain-group-using-powershell-and-repadmin/
Hope now it’s clear
Copy code from Script part, paste to your editor and run.
Right after that you can use command Get-ADGroupMemberDate -Group “GroupName”.
http://techgenix.com/active-directory-group-membership/
https://learn-powershell.net/2013/05/21/find-when-a-user-was-added-or-removed-to-a-domain-group-using-powershell-and-repadmin/
Hope now it’s clear
Get-ADGroupMemberDate -Group 'Domain Admins'
Event logs might help you.
4728/4729 > A member was added/removed to/from a security-enabled global group
4732/4733 > A member was added/removed to/from a security-enabled local group
4756/4757 > A member was added/removed to/from a security-enabled universal group
4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)
Get-EventLog -logname security | Where-Object {($_.eventid -eq 4728) -or ($_.eventid -eq 4733 ) -or ($_.eventid -eq 4746)} | select EventID,MachineName,EntryT
Here is a step by step guide to track and audit Active Directory Group Changes.
Next, Monitor Event ID 4670 - Windows logs this event when someone changes the access control list on an object.
This step by step how-to guide help you to track permission changes on File Servers.
However, to send alert email based on the events id, please check out articles below.
https://blogs.technet.microsoft.com/jhoward/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger/