Why audit a distribution group?

In Active Directory, distribution groups are created for the purpose of email distribution. These groups are used in Microsoft Exchange to send emails to the members of specific distribution lists. Distribution groups are also referred to as security-disabled groups. But don't let the name mislead you; security breaches and compliance issues can arise from the misuse of these groups as well. For instance, if a member had been added to the finance team's distribution group, then the added user will start receiving confidential information about company's financial data and other procedures which could lead to a data breach. Therefore it becomes essential for you to track the creation of new distribution groups, attribute changes of distribution groups, and new users added or removed from the group.

Note: Within Active Directory, a distribution group refers to any group that doesn't have a security context, whether it's associated with mailing lists or not. In Exchange Online, all mail-enabled groups are referred to as distribution groups, whether they have a security context or not.

This article is a quick refresher on all how to enable auditing of distribution groups, the events you should track and how you can use ADAudit Plus to track these events. If you are looking to set up this audit policy from scratch, we recommend you check out our post on How to check who was recently added to a distribution list which elaborates the steps to configure audit policies for distribution groups and check who was newly added to the group.

How to enable auditing of distribution groups:

In the Group Policy Management Console, click on Edit of the desired group policy, to open up the Group Policy Management Editor.
Expand Computer Configuration--->Policies---->Windows Settings----->Security Settings----->Local Policies------->Audit Policies.
Enable success and failure options for Audit account management. You can also allow for more granular auditing. Select the Advanced Audit Policy----> Audit Policy------->Account Management----->Audit User Account Management.

Events related to distribution groups that you should monitor

Here are a list of events you should monitor with respect to your distribution groups. Enabling auditing for these events is also recommended by Microsoft.

Events List:

4744: A security-disabled local group was created.
4745: A security-disabled local group was changed.
4746: A member was added to a security-disabled local group.
4747: A member was removed from a security-disabled local group.
4748: A security-disabled local group was deleted.
4749: A security-disabled global group was created.
4750: A security-disabled global group was changed.
4751: A member was added to a security-disabled global group.
4752: A member was removed from a security-disabled global group.
4753: A security-disabled global group was deleted.
4759: A security-disabled universal group was created.
4760: A security-disabled universal group was changed.
4761: A member was added to a security-disabled universal group.
4762: A member was removed from a security-disabled universal group.

How ADAudit Plus can help you track changes to your distribution lists?

You may use Event Viewer, the native event analysis tool to investigate these events. Though Event Viewer is a good tool to use, manually analyzing these events one-by-one will be time consuming. Further, Event Viewer doesn't provide you the overview of implications of these events on the network. To conduct in-depth analysis and get a holistic view of what's happening in your network, you must use a comprehensive AD auditing solution like ADAudit Plus.

ADAudit Plus is a one-stop solution that brings together an intuitive user interface, pre-configured reports, and advanced filter options that make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

How to audit distribution group changes using ADAudit Plus?

Login to ADAudit Plus console.
Select the Reports Tab and navigate to Group Management. You have a pre-configured reports on Distribution Groups.You can select the desired report from the list.
Select the Domain.
Customize the Period to desired time range. You can also define a custom period and save for quick reference.
A detailed audit information report is generated for the selected period.
Clicking on an event in the bar graph, filters the report view highlighting only the selected event.
Advanced filter attributes help you locate the specific event that you're looking for.

Image: Recently Added Members in Distribution Groups report in ADAudit Plus

Image: Recently Deleted Distribution Groups report in ADAudit Plus

Image: Recently Created Distribution Groups In ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/.

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free