- Free Edition
- Quick Links
- Active Directory Auditing
- Active Directory auditor
- Active Directory monitoring
- Account lockout analyzer
- Login monitoring software
- Active Directory change notifier
- User logon audit reports
- AD logon logoff tracker
- User logon failure auditing
- Login history tracking tool
- AD change auditor
- Insider threat detection software
- Permissions change auditing
- Entra ID reporting
- Privileged user monitoring
- User behavior analytics tool
- Active Directory security monitoring
- Group Policy auditing tool
- GPO change auditor
- Entra ID auditing
- Audit user account management
- OU change auditor
- Audit group membership changes
- Active Directory auditing and reporting tool
- GPO reporting tool
- Remote desktop monitoring software
- PowerShell logging and auditing
- Azure password protection auditing
- Azure sign-in risk detection
- File Server Auditing
- Windows Server Auditing
- Employee Tracking
- Workstations Auditing
- Compliance Auditing
- Other features
- SIEM Integration
- Windows DNS - Schema Auditing
- Windows security event log monitoring
- SIEM audit solution
- Schedule Active Directory change reports
- Reports from Archived Data
- Aggregated summary reports
- AD new/old attribute changes
- Audit trail
- Audit Active Directory LAPS
- Scheduled Reports & Alerts
- Account lockout examiner
- Industry
- Documents
- Success Stories
- Related Products
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- ADSelfService Plus Identity security with MFA, SSO, and SSPR
- DataSecurity Plus File server auditing & data discovery
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- AD Free Tools Active Directory FREE Tools
Audit group membership with ADAudit Plus
Be in the know about every addition, removal, and attribute change across every security group in your active directory environment.
Track every member addition and removal
Every user added to or removed from a security group is captured in real time, including the actor, timestamp, domain controller, and source machine. Investigate any group change without querying individual DC event logs.
Alert on privileged group changes
You can configure alerts to be triggered the moment any membership change occurs in the Domain Admins, Enterprise Admins, or Schema Admins groups. Your team is notified before any newly granted privileges can be exercised.
Capture before-and-after attribute values
Every group attribute change is recorded with the old value and new value side by side, giving you the full context of what changed, not just that a change occurred.
Audit Entra ID group membership
Microsoft Entra ID group membership changes are tracked alongside on-premises AD group changes in a single console, with no need to pivot between directories or correlate logs manually.
Detect attacks that abuse group membership
DCSync and Golden Ticket attacks require adding replication rights or manipulating Domain Admins group membership. The Attack Surface Analyzer capability detects these techniques and reports on them with a full event timeline.
Meet compliance requirements for group changes
Pre-built compliance report sets for SOX, HIPAA, PCI-DSS, GDPR, and ISO 27001 map group membership change events directly to control requirements, so audit evidence is ready without manual compilation.
Monitor AdminSDHolder permission changes
Changes to AdminSDHolder permissions propagate automatically to all protected accounts. ADAudit Plus captures these changes in real time, alerting you before the propagation cycle completes.
Save custom group audit views
Custom report profiles let you combine specific groups, audit actions, and time windows into saved views, so recurring investigations, compliance checks, and delegation reviews run in seconds.
Why should group membership changes be audited?
Every member added to a security group inherits that group's full permission set instantly.A single unauthorized addition to Domain Admins grants domain-wide administrative access, and a stale account left in a privileged group is an open door for anyone who compromises those credentials. Group membership determines what users can reach across your environment: file shares, applications, administrative tools, and domain controllers.
ADAudit Plus captures every membership change across all security group types the moment it occurs. Pre-configured reports cover additions and removals for global, domain local, and universal security groups, with no custom query or policy configuration required. Every event records the actor, the affected group and member, the domain controller that logged it, and the source machine.
What ADAudit Plus audits in group management
ADAudit Plus covers every group change category in a single pre-configured report set. For each area below, every event includes who made the change, when, from which domain controller, and from which machine.
| Group management area | What ADAudit Plus captures |
|---|---|
| Security group membership additions | Every user or computer added to a global, domain local, or universal security group, with actor identity and source machine |
| Security group membership removals | Every user or computer removed from a security group, with the account that performed the removal |
| Distribution group membership changes | Additions and removals for distribution groups, tracked separately from security group activity |
| Privileged group membership | All membership changes to Domain Admins, Enterprise Admins, Schema Admins, and other protected groups, with a dedicated pre-configured alert |
| Group attribute changes | Any change to a group's name, description, scope, type, or managed-by field, with old and new values |
| Group creation and deletion | All security and distribution groups created or deleted, with who performed the action |
| AdminSDHolder-protected groups | Changes to AdminSDHolder permissions, which propagate automatically to all protected group objects |
Track security group membership changes
Group membership additions and removals are the most frequent and consequential group management events in any AD environment. ADAudit Plus captures these through pre-configured reports for all three security group types, with actor identity, timestamp, source machine, and IP for every event. You can track:
- The group and the member added, including whether the addition was to a global, domain local, or universal group, plus the caller account and domain controller that recorded it.
- The source machine and IP address, so you can trace additions made from administrative workstations, scripts, or delegated tools.
- A complete Group Object History report for any group, showing the full sequence of membership changes over time.
- Group deletions and groups restored from the AD Recycle Bin.
Maintain a comprehensive audit trail of who made what change, to which group, and when.
You can also automate the generation and delivery of reports to easily pass compliance audits.
Monitor changes to privileged groups
Changes to privileged groups carry more risk than any other membership event in your directory. ADAudit Plus includes a pre-configured alert that fires the moment any membership change is made to a privileged group, and a dedicated AdminSDHolder Permission Changes report that captures every modification before the SDProp propagation cycle runs. ADAudit Plus can:
- Deliver email and SMS notifications with the actor, source machine, and IP address.
- Capture every modification to risky groups such as AdminSDHolder in real time, with the permission added or removed, who made the change, and when.
Audit group attribute and configuration changes
Modifying a group's scope from domain local to universal changes how its permissions apply across trusts. It fundamentally changes its visibility, membership rules, and access potential across a domain or forest. This change can instantly grant or revoke access to resources across multiple domains, posing a significant security and operational risk if done unauthorized or by mistake. ADAudit Plus:
- Records the old and new values for every group attribute change so you can verify whether the change was authorized.
- Track changes to a group's scope—Domain Local, Global, or Universal.
- Provides the previous and current value for every modified group attribute.
- Every group change is recorded with the changed values with actor and timestamp.
- Group renames are tracked with both the previous and new name, alongside group creation and deletion events.
Track which attributes were modified during a change to a group, along with old and new values.
Extend group membership auditing to Microsoft Entra ID
ADAudit Plus tracks Entra ID group membership changes, covering additions, removals, and owner changes alongside on-premises reports. You can track:
- Additions and removals to Microsoft Entra ID security and Microsoft 365 groups in real time.
- Owner changes (accounts added or removed as group owners) through dedicated reports.
- Correlated on-premises AD and Entra ID activity for hybrid users, giving a unified view for accounts that span both directories.
- Every Entra ID role assignment change, with the assigning account, timestamp, and role affected.
Report on Entra ID group membership changes with dedicated reports.
Get real-time alerts on group membership changes
ADAudit Plus ships with pre-configured alert profiles for the group change events that carry the most security risk. These alert you:
- When any privileged group membership changes, your team is notified immediately so an attacker who elevates an account into Domain Admins is visible before they can act.
- When a security group is deleted, so permission gaps caused by accidental or malicious deletions are caught before users report access failures.
- When a group's membership changes beyond the pattern normal for that group, user behavior analytics surfaces the deviation, letting you distinguish routine provisioning from unusual bulk additions.
- When AdminSDHolder permissions change, an alert fires before the SDProp cycle propagates the modification to protected accounts.
Meet compliance requirements for group change auditing
Group membership changes are audit-relevant events under every major compliance standard. ADAudit Plus includes pre-built compliance report sets for SOX, HIPAA, PCI-DSS, GDPR, ISO 27001, GLBA, and FISMA. Each report set maps group membership change events to the specific control requirements of that standard, so audit evidence is ready to present without manual compilation or log extraction.
Custom report profiles extend this further. You can combine specific groups, audit actions, and time filters into saved views, so a recurring compliance review for a subset of privileged groups runs in seconds rather than requiring a fresh report build each cycle.
Why native tools fall short
The Windows Security event log records that a group membership changed. It does not tell you why, whether it was authorised, or whether the same actor made ten similar changes elsewhere in the directory in the same session. Answering those questions with native tools requires manual effort that does not scale. There are several additional issues with natively auditing group membership changes:
- Security event logs are stored locally on each domain controller. In a multi-DC environment, the event for a single group change may be on a different DC from the logon event that preceded it, so manual correlation is required to connect the two.
- Event Viewer has no built-in filtering for group type, scope, or privileged status. Finding all changes to Domain Admins across a 30-day period requires scripting or manual log review.
- PowerShell can query AD for current group membership but has no native history. It cannot tell you who was in a group six months ago or who made a specific membership change last Tuesday.
- Neither Event Viewer nor PowerShell provides old and new values for group attribute changes out of the box. Without enabling additional audit policies and writing custom queries, you cannot determine what a group's scope or type was before a change.
ADAudit Plus resolves all of these gaps from a single console, with no custom scripting or policy configuration required. Every group change event is captured at the source, correlated with the actor and machine, and made available through pre-configured reports the moment the change occurs.
Download a free 30-day trial of ADAudit Plus and get complete visibility into every group membership change across your Active Directory environment.
4 compelling reasons to choose ADAudit Plus
Widely recognized
ADAudit Plus has been recognized as a Gartner Peer Insights Customers' Choice for Security Incident & Event Management (SIEM) for four consecutive years.
Easy deployment
Go from downloading ADAudit Plus to receiving predefined reports and alerts in under 30 minutes, without any professional help.
Competitive pricing
ADAudit Plus is licensed per-server, unlike other IT auditors which are licensed per-user. With per-server licensing, even with a growing number of users each year, you can continue to ingest log data without additional costs.
Unified visibility
ADAudit Plus consolidates auditing, security, and compliance across Active Directory, Entra ID, Windows servers, workstations, and file servers into a single pane of glass, eliminating the need to juggle multiple tools.
Frequently asked questions
ADAudit Plus captures every security and distribution group membership addition and removal, along with group attribute changes, scope and type modifications, group creation and deletion, and AdminSDHolder permission changes. Every event includes the actor, timestamp, domain controller, and source machine.
ADAudit Plus notifies stakeholders immediately when any membership change occurs in Domain Admins, Enterprise Admins, Schema Admins, or any other group you designate as privileged. Email and SMS notifications are delivered to your team before the new permissions can be exercised.
Yes. The Group Attribute New and Old Value report captures before-and-after values for every group attribute change. Membership additions and removals are recorded with full event context, and the Group Object History report shows the complete change sequence for any group.
Yes. ADAudit Plus tracks Microsoft Entra ID group membership additions, removals, and owner changes through the Cloud Directory tab. Microsoft Entra ID role membership changes are also captured. Hybrid environments get a correlated view of on-premises AD and Microsoft Entra ID group activity from a single console.
SOX, HIPAA, PCI-DSS, GDPR, GLBA, FISMA, and ISO 27001 all require access change tracking that includes group membership events. ADAudit Plus includes pre-built compliance report sets for each standard, mapping group membership change events to specific control requirements and exporting audit evidence on demand.
Yes. The Attack Surface Analyzer detects techniques including DCSync attacks, which require adding replication rights, and Golden Ticket attacks, which often involve Domain Admins group manipulation. Each detected event includes a full timeline showing what happened before, during, and after the attack attempt.