AD and windows file server event logs.

is it possible (I presume it must be) to audit/capture in Active Directory each time a user is added to a security group, e.g. time, which admin added them as a member, and similarly, on a windows file server, each time the ACL changed for a directory on a certain drive, e.g a new access control entry was added to the access control list, permissions for an existing access control entry on the access control list were amended.

I need to check a) is this level of auditing possible without buying a 3rd party tool, does it pre-exist within windows/AD b) how can I check if it is enabled already, and where exactly are the logs written to for such occurrences if enabled, are there specific ID's for what I have listed above.

We have very strict rules around authorisation when someone requires access to some sensitive directories on a file server, and I am looking into ways access could be achieved, e.g. added to a group already with access, ACL directly amended.

Have I covered all bases here, or could there be other 'actions' that could grant users access to a directory on a file server?
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
I need to check a) is this level of auditing possible without buying a 3rd party tool, does it pre-exist within windows/AD

Yes, look at advanced auditing and file system auditing.

Advanced Auditing
Edit GPO > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > ... select what is relevant.

File system auditing
Edit the file system auditing settings to whatever path you want to monitor. Might be possible via GPO, I've not done this before.

b) how can I check if it is enabled already, and where exactly are the logs written to for such occurrences if enabled, are there specific ID's for what I have listed above.

There will be events logged. Refer to Microsoft's documentation for Event ID's. There are many.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system

There is much documented on Microsoft's site. Another useful resource is https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
austin minorCommented:
Run the script and look for the group details

Get-ADGroupMemberDate -Group 'Domain Admins'

Event logs might help you.
4728/4729 > A member was added/removed to/from a security-enabled global group
4732/4733 > A member was added/removed to/from a security-enabled local group
4756/4757 > A member was added/removed to/from a security-enabled universal group
4751/4752 > A member was added/removed to/from a security-disabled global group (distribution list)
4746/4747 > A member was added/removed to/from a security-disabled local group (distribution list)
4761/4762 > A member was added/removed to/from a security-disabled universal group (distribution list)

Get-EventLog -logname security | Where-Object {($_.eventid -eq 4728) -or ($_.eventid -eq 4733 ) -or ($_.eventid -eq 4746)} | select EventID,MachineName,EntryType,Message,InstanceId,TimeGenerated,Timecreated,UserName | fl | export-csv -path C:\logs.csv

Here is a step by step guide to track and audit Active Directory Group Changes.

Next, Monitor Event ID 4670 - Windows logs this event when someone changes the access control list on an object.

This step by step how-to guide help you to track permission changes on File Servers.

However, to send alert email based on the events id, please check out articles below.
https://blogs.technet.microsoft.com/jhoward/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger/
pma111Author Commented:
What are the pre-reqs to run commands such as 'Get-ADGroupMemberDate'. I have the AD powershell module installed but it does not recognise Get-ADGroupMemberDate.
thanks
austin minorCommented:
Before you call function you must load it to your PowerShell code editor (ISE, Visual Studio Code, etc).
Copy code from Script part, paste to your editor and run.
Right after that you can use command Get-ADGroupMemberDate -Group “GroupName”.

http://techgenix.com/active-directory-group-membership/

https://learn-powershell.net/2013/05/21/find-when-a-user-was-added-or-removed-to-a-domain-group-using-powershell-and-repadmin/

Hope now it’s clear
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.