How to track changes made to an Active Directory group

What happens if a group in Active Directory is deleted unexpectedly? The users present in that group would not have the necessary permissions to perform their job as they may not be able to access important resources such as e-mail, file servers, and print servers. Such issues can cause downtime and bring down business productivity. IT admins must also be aware of new members added to a group or existing members removed and added to another group. Let's have a look at how IT admins can track changes made to an AD group.

The following is a comparison to track the changes made to an Active Directory group using native auditing and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • Login to ADAudit Plus web console as an administrator.

  • Navigate to the Reports tab and from the Group Management section in the left pane, select the desired report. For example, let us select the Recently created Security Groups report.

  • Select the domain and click Generate.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • Open Group policy management console. Create a new GPO and edit it -> Computer configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:

    1. Audit Account Management -> Check the box for Success

    2. Audit Directory Service Access -> Check the box for Success

    3. Click Apply.

  • Navigate to Security Settings Level -> Properties -> Event Log:

    1. Maximum security log size -> Define to 4,000,000 KB (or 4 GB)

    2. Retention method for security log -> Define to Overwrite events as needed

  • Link the new GPO: Navigate to "Group Policy Management" -> Right-click domain or OU -> Click "Link an existing GPO" -> Choose the newly created GPO

  • Force the group policy update: In "Group Policy Management", right-click the defined OU -> Choose "Group Policy Update"

  • Open ADSI Edit -> Right-click ADSI Edit -> Connect to Default Naming Context -> Right-click DomainDNS object with your domain name -> Properties -> Security -> Advanced -> Auditing -> Add Principal "Everyone" -> Type "Success" -> Applies to "This object and descendant objects" -> Mark all checkboxes except "Full Control, List Contents, Read all properties, Read Permissions" -> Select "OK"

  • Open Event viewer -> Filter Security log to locate event IDs (Windows Server 2003/2008-2012):

    1. 4727, 4731, 4754, 4759, 4744, 4749 – Group created

    2. 4728, 4732, 4756, 4761, 4746, 4751 – Member added to a group

    3. 4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group

    4. 4730, 4734, 4758, 4748, 4753, 4763 – Group deleted

    5. 4735, 4737, 4745, 4750, 4755, 4760 – Group changed

    6. 4662 - An operation was performed on an object (Type: Directory Service Access).

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

The following are the limitations to track the changes made in Active Directory groups using native auditing:

  • Setting up native auditing is quite a lengthy process.

  • Real-time alerts cannot be set up using native auditing, and continuously looking for changes in Active Directory groups is a redundant and error-prone process for IT admins.

  • It's difficult to generate the report for different time zones and date formats.

ADAudit Plus will generate the report of changes made in Active Directory groups and display it in a simple and intuitively designed UI. ADAudit Plus can also generate alerts based on conditions set by the organization's IT team.

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.