Open Group policy management console. Create a new GPO and edit it -> Computer configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:

1. Audit Account Management -> Check the box for Success

2. Audit Directory Service Access -> Check the box for Success

3. Click Apply.

Navigate to Security Settings Level -> Properties -> Event Log:

1. Maximum security log size -> Define to 4,000,000 KB (or 4 GB)

2. Retention method for security log -> Define to Overwrite events as needed

Link the new GPO: Navigate to "Group Policy Management" -> Right-click domain or OU -> Click "Link an existing GPO" -> Choose the newly created GPO

Force the group policy update: In "Group Policy Management", right-click the defined OU -> Choose "Group Policy Update"

Open ADSI Edit -> Right-click ADSI Edit -> Connect to Default Naming Context -> Right-click DomainDNS object with your domain name -> Properties -> Security -> Advanced -> Auditing -> Add Principal "Everyone" -> Type "Success" -> Applies to "This object and descendant objects" -> Mark all checkboxes except "Full Control, List Contents, Read all properties, Read Permissions" -> Select "OK"

Open Event viewer -> Filter Security log to locate event IDs (Windows Server 2003/2008-2012):

1. 4727, 4731, 4754, 4759, 4744, 4749 – Group created

2. 4728, 4732, 4756, 4761, 4746, 4751 – Member added to a group

3. 4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group

4. 4730, 4734, 4758, 4748, 4753, 4763 – Group deleted

5. 4735, 4737, 4745, 4750, 4755, 4760 – Group changed

6. 4662 - An operation was performed on an object (Type: Directory Service Access).