How to track changes to groups in Active Directory?

Groups help in categorizing users according to the security permissions and accesses assigned to them. Any modifications to AD groups could result in a set of users losing access to resources or a malicious employee being granted access to sensitive information. This is why it is important for IT administrators to constantly audit AD group changes.

AD group changes can be detected using the tools available in native AD infrastructure. You can also simplify this process by using ADAudit Plus, a real-time Active Directory auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

How to track AD group changes with ADAudit Plus

  • To track changes to your AD groups you will have to enable auditing of your Active Directory.

  • In the ADAudit Plus console, go to 'Reports' tab and navigate to 'Group Management' on the left pane. This provides you a list of pre-configured reports on group activity within AD.

  • You can also access a consolidated view of user activity reports in relation to AD groups on the 'User Management' section.

  • The pre-configured reports include recently created and deleted security groups, any members added to or removed from a security group. You can also create custom reports and export reports in (CSV, PDF, XSL, HTML).

  • You can apply attribute-based filters like 'Group Name' , 'Domain Controller', 'Member Name, 'Group Scope' and more.

  • ADAudit Plus is a more effective solution to track AD group changes. With this solution, instead of looking for individual event IDs, you can have a consolidated view of all your group changes for a particular period. The solution's pre-configured reports also help you effortlessly track important changes to your AD with just a few clicks.

Tracking group changes with native AD tool

  • Step 1: Enable Group Policy Auditing
  • Launch the 'Server Manager' and open the Group Policy Management Console (GPMC).

  • In the left pane, expand the 'Forest' and 'Domains' nodes to reveal the specified domain you want to track the changes for.

  • Expand the domain and right-click 'Default Domain Policy'. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.

  • Click on 'Edit' of the desired group policy, to open up the Group Policy Management Editor.

  • Expand 'Computer Configuration'--->Policies---->Windows Settings----->Security Settings----->Local Policies------->Audit Policies.

  • Enable success and failure options for 'Audit account management' and 'Audit object access' policy properties. Exit Group Policy Management Editor.

  • In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to "to track the changes made by everyone who has logged into the domain." or something similar would work.. Exit the GPMC.

  • To enforce these changes throughout the domain, run the command 'gpupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit
  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  • Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  • Click on ' Select a principal'. This will bring up a 'Select User, Computer or Group' Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The 'Principal' in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control

    2. List Contents

    3. Read all properties

    4. Read permissions

  • Step 3: View Events in Event Viewer
  • You can view changes to your groups by accessing 'Security Logs' in the 'Event Viewer'.Listed below are the events pertaining to AD group changes. You can search or filter for these events in your Event Viewer.

  • Event ID 4727: A security group is created

  • Event ID 4729: A member has been removed from a security group

  • Event ID 4728: A member has been added to a security group

  • Event ID 4730: A security group is deleted.

Does native auditing become a little too much?

Simplify group management and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.