Auditing Group Membership changes

Standard

I often get this asked this question, “how do I audit group membership changes”. Whereas a lot of AD Change Monitor Tools (Quest, Netwrix etc.) have nice reports that can be generated to look up this information, this question comes up when a change auditor product for AD is not in picture. Let me cover the highlights here.

1. You need to have the Auditing enabled with Group Policy.

Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy

 

image

2. In order to see on which DC the change was made, you can lookup the metadata via repadmin.

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=techevan,DC=lab"

Towards the end of the output you see the “absent” in this example on which DC a particular user was removed from this group.

Type     Attribute     Last Mod Time         Originating DSA         Loc.USN          Org.USN Ver        Distinguished Name
===  ========  ===========      =================   ======= ======= === =========================
ABSENT   member        2010-11-05 16:55:28 TestSiteTEST-DC01  749327  749327   2  CN=Rick Sheikh,OU=Users,DC=techevan,DC=lab

 

3.  You can comb the logs on the said DC using EventComb or Event Viewer. Event ID 4729 is logged when a member is removed from a group.

image

Some other important Event IDs for User and Group Auditing in Windows Server 2008 R2 are these:

4727 – A security-enabled global group was created.

4728 – A member was added to a security-enabled global group.

4730 – A security-enabled global group was deleted.

4731 – A security-enabled local group was created.

4732 – A member was added to a security-enabled local group.

4733 – A member was removed from a security-enabled local group.

4734 – A security-enabled local group was deleted.

4735 – A security-enabled local group was changed.

4737 – A security-enabled global group was changed.

4754 – A security-enabled universal group was created.

4755 – A security-enabled universal group was changed.

4756 – A member was added to a security-enabled universal group.

4757 – A member was removed from a security-enabled universal group.

4758 – A security-enabled universal group was deleted.

 

More reading here : http://www.windowsecurity.com/articles/Event-IDs-Windows-Server-2008-Vista-Revealed.html

2 thoughts on “Auditing Group Membership changes

  1. Imtiaz

    Shariq Bhai,

    As Salaam Walaikum. I have a related question for you that I have been searching for an answer for without much success.

    Like you indicated, there are many solutions to help find out who changed a group membership in Active Directory, but Shariq, we are in search of a solution that can also help us find out who can change group memberships in Active Directory.

    I am asking because we had a situation where one of our admins who was getting laid off, changed a membership just before leaving, resulting in a security incident, and while the auditing later showed that he had changed it, if we had only known that he could change this, we could have locked it down before giving him notice.

    I have found it to be very difficult to try and figure this out. There is a similar discussion on one of the communities I am on (How to find out who can change/modify an Active Directory group’s membership?) , but still no answers.

    You are an expert Shariq, and you now work for Microsoft, so you must know how I can find out this answer – I would much appreciate your help with this.

    Shukran!

    Khudaah Haafiz
    Imtiaz

Leave a Reply

Your email address will not be published. Required fields are marked *