Imagine, for a second, what would happen if an Active Directory group was deleted.Users within that group will instantly not have the permissions they need to do their job, and they may face issues in accessing their emails, file servers or other critical resources. It therefore becomes necessary to keep an eye on any changes that occur to administrative or security-enabled groups. IT administrators must also be aware of new members added to a group or existing members removed and added to another group. In this article, the steps to audit and track Active Directory group membership changes are discussed for both native method and through LepideAuditor for Active Directory. Let’s start with the native auditing method:

Step 1: Enable Active Directory Auditing through Group Policy

1. Type GPMC.MSC in “Run” box and press “Enter.” The “Group Policy Management” console opens up.

2. Go to “Forest” → “Domains” → “” in the left panel.

3. Right-click the “Default Domain Policy” or any customized domain-wide policy. (However, we recommend you to create a new GPO, link it to the domain, and edit it).

4. Select “Edit” to access “Group Policy Management Editor.”

5. Next, navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policies”.

Figure 1: Group Policy Management Editor

6. Management and access properties.

7. Click to select “Define these policy settings” option.

8. Select both “Success” and “Failure” checkbox to enable audit policy for monitoring successful events.

9. Now, close “Group Policy Management Editor”.

10. After closing it, you will be back at “Group Policy Management Console”. Select the GPO that you have modified.

11. In the “Security” filtering section in the right pane, click “Add” to apply this GPO to all objects of Active Directory. Type “Everyone” in the dialog box that opens up. Click “Check Names” and “OK” to add the value.

12. Close “Group Policy Management Console”.

13. It is recommended to update the Group Policy instantly so that new changes can be applied to the entire domain. Run the following command at the Command Prompt or in the “Run” box to update the Group Policies on all domain controllers.

gpupdate /force

Step 2: Enable Auditing of Active Directory through ADSI edit

1. In “Start Menu” or in “Control Panel”,“Administrative Tools” and open “ADSI Edit.”

2. Right-click ADSI Edit node in the left panel and select “Connect To”.

3. In “Connection Settings” window, select “Default Naming Context” in the drop-down menu of selecting a well-known Naming Context.

Figure 2: Connection Settings for ADSI Edit

4. Click “OK” to establish the connection to the Default Naming Context of the domain. It is node displayed in the left tree pane, just below the top ADSI Edit node.

5. Expand “Default Naming Context []” and access the top node under it.

6. Right-click this top node having the fully qualified domain name and click “Properties” in the context menu.

7. In the properties, switch to “Security” tab and click “Advanced” button to access “Advanced Security Settings for www”.

8. Switch to “Auditing” tab and click “Add” button to add a new auditing entry. It shows “Auditing Entry for www” window on the screen.

Figure 3: Auditing Entry window

9. Click “Select a principal” to add“Everyone”.

10. Select type as “Success” and applies to as “This object and descendant objects.”

11. Under “Permissions,” select all check boxes by clicking “Full Control,” except following permissions.

  • Full Control
  • List contents
  • Read all properties
  • Read permissions

12. Click “OK”.

Step 3: Track Group Membership changes through Event Viewer

To track the changes in Active Directory, open “Windows Event Viewer,” go to “Windows logs” → “Security.” Use the “Filter Current Log” in the right pane to find relevant events.

The following are some of the events related to group membership changes.

a) Event ID 4727 indicates a Security Group is created.

Figure 4: A security-enabled group is created

The following screenshot shows more detail of this event.

Figure 5: Showing detailsTest Group 1 is created.

b) Event ID 4728 indicates a ‘Member is added to a Security Group’.

c) Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’.

d) Event ID 4730 indicates a‘Security Group is deleted’.

The following screenshot filters all events related to changes in Active Directory Group Memberships.

Figure 6: Different events visible in the Event Viewer
Issue with Native Method

Multiple events are generated for a single change such as adding a member to a group. Looking for a critical change in real-time is very difficult. It is just like a situation where you have to find a needle manually in the haystack. Native auditing also suffers from other issues.

Using LepideAuditor for Active Directory to Audit Group Membership Changes

LepideAuditor overcomes the limitations of Native Auditing with its outstanding features. It shows only one event for one change. In the following image, you can see a “Group Modifications” report generated in LepideAuditor for Active Directory, showing all group membership changes made in a given period. It also shows you the answers to who, what, when and where questions in in a way that is simple to read and understand.

Figure 7: Group Modifications Report

While native auditing is useful, at times, it can get complicated, time-consuming and generates a lot of noise. LepideAuditor is very good solution of these problems.

Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.