With Native AD Auditing
With ADAudit Plus
Login to ADAudit Plus web console as an administrator.
Navigate to the Reports tab and from the Group Management section in the left pane, select the desired report. For example, let us select the Recently created Security Groups report.
Select the domain and click Generate.
Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).
Open Group policy management console. Create a new GPO and edit it -> Computer configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:
Audit Account Management -> Check the box for Success
Audit Directory Service Access -> Check the box for Success
Navigate to Security Settings Level -> Properties -> Event Log:
Maximum security log size -> Define to 4,000,000 KB (or 4 GB)
Retention method for security log -> Define to Overwrite events as needed
Link the new GPO: Navigate to "Group Policy Management" -> Right-click domain or OU -> Click "Link an existing GPO" -> Choose the newly created GPO
Force the group policy update: In "Group Policy Management", right-click the defined OU -> Choose "Group Policy Update"
Open ADSI Edit -> Right-click ADSI Edit -> Connect to Default Naming Context -> Right-click DomainDNS object with your domain name -> Properties -> Security -> Advanced -> Auditing -> Add Principal "Everyone" -> Type "Success" -> Applies to "This object and descendant objects" -> Mark all checkboxes except "Full Control, List Contents, Read all properties, Read Permissions" -> Select "OK"
Open Event viewer -> Filter Security log to locate event IDs (Windows Server 2003/2008-2012):
4727, 4731, 4754, 4759, 4744, 4749 – Group created
4728, 4732, 4756, 4761, 4746, 4751 – Member added to a group
4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
4735, 4737, 4745, 4750, 4755, 4760 – Group changed
4662 - An operation was performed on an object (Type: Directory Service Access).
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial
The following are the limitations to track the changes made in Active Directory groups using native auditing:
Setting up native auditing is quite a lengthy process.
Real-time alerts cannot be set up using native auditing, and continuously looking for changes in Active Directory groups is a redundant and error-prone process for IT admins.
It's difficult to generate the report for different time zones and date formats.
ADAudit Plus will generate the report of changes made in Active Directory groups and display it in a simple and intuitively designed UI. ADAudit Plus can also generate alerts based on conditions set by the organization's IT team.