How to detect who added a user to a privileged group

Privileged groups are security groups that contain users in charge of administration and other exclusive management tasks that are important to the organization. They can also be created to manage a specific set of users in a specific division; like finance managers in the finance division of a company. Users in privileged groups in AD are given more security accesses, audit or share privileges than the rest. Unwanted additions to a privileged group could result in a malicious insider being given access to sensitive information and higher level of privileges. This makes tracking of privileged accounts is important. Given below are steps to check who added a user to a privileged group using native AD tools. You can also check out how ADAudit Plus can simplify this process by click on the ADAudit Plus tab.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • How to track who added a user to a privileged group with ADAudit Plus
  • In the ADAudit Plus console, go to 'Reports' tab and navigate to 'User Management' on the left pane. Select 'Recently Moved Users'. This gives you a report on users who have been shifted into different containers.

  • You can use the filter attributes to look for a specific event where a user has been moved into a privileged group.

  • The pre-configured reports include recently created and deleted security groups, any members added to or removed from a security group. You can also create custom reports and export reports in (CSV, PDF, XSL, HTML)

  • Correlate multiple reports to spot anomalous activity in the network.

  • Step 1: Enable Group Policy Auditing
  • Launch the 'Server Manager' and open the Group Policy Management Console (GPMC).

  • In the left pane, expand the 'Forest' and 'Domains' nodes to reveal the specific domain you want to track the changes for.

  • Expand the domain and right click 'Default Domain Policy'. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.

  • Click on 'Edit' of the desired group policy, to open up the Group Policy Management Editor.

  • Expand 'Computer Configuration'--->Policies---->Windows Settings----->Security Settings----->Local Policies------->Audit Policies.

  • Enable 'success' for 'Audit account management' and 'Audit object access' policy properties. Exit Group Policy Management Editor.

  • In the GPMC choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to include the value. Exit the GPMC.

  • To enforce these changes throughout the domain run the command 'gupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit
  • From your Server Manager go to Tools and select ADSI Edit.

  • Right click ADSI Edit node from the left pane and select Connect to option. This pulls up the Connection Settings window.

  • Select the Default Naming Context option from the Select a well-known Naming Context drop down list.

  • Click Okay and return to the ADSI Edit window. Expand Default Naming Context and select the associated 'DC' subnode. Right click this subnode and click 'Properties'.

  • In the Properties window, go to the Security tab and select Advanced. After that select Auditing tab and click Add.

  • Click on Select a principle. This will bring up a Select User, Computer or Group Window. Type 'Everyone' in the textbox and verify it with Check Names.

  • The principle in the Auditing Entry window now shows 'Everyone'. In the 'Type' drop-down select All to audit for both 'success' and 'failure' events.

  • In the Select drop-down choose This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select Full Control in the 'Permissions' section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control

    2. List Contents

    3. Read all properties

    4. Read permissions

  • You can view events in the 'Event Viewer'.You can access the 'Security Logs' under 'Windows Logs'.

  • Event ID 4728: A member has been added to a security-enabled group.

  • You can search for this event ID to check who added a user to a privileged account.

Does native auditing become a little too much?

Simplify privileged group auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.