How to Monitor Active Directory Security Group Membership Changes
How to Detect Security Group Membership Changes
It is a recommended security practice for administrators to keep track of membership changes made to security groups. If this event is not tracked, an attacker might join a security-enabled group and carry out misdeeds without the administrator having a clue of the developments.This article discusses steps to audit, track, and get notified when an object is added to a security group.
Enabling Active Directory Auditing through Group Policy
Type GPMC.MSC in Run and press Enter to open the Group Policy Management console.
Navigate to Forest → Domains → www.example.com and right-click the Default Domain Policy. Select Edit to access Group Policy Management Editor.
Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies.
Click and select Define these policy settings option and select both Success and Failure checkbox.
After closing the Group Policy Management Editor, select the GPO that you have modified.
In the Security filtering section, click Add to apply this GPO to all objects of Active Directory. Update the GPO from the Command Prompt using the gpupdate /force command.
Tracking members newly added to a security-enabled global group
To track the group membership changes in Active Directory, open the Windows Event Viewer, and navigate to Windows logs → Security.
Use the Filter Current Log in the right pane to find relevant events.
Look for events with the ID 4728.
This will list all the details related the particular event.
Administrators can also get notified when this event ID occurs by creating a Scheduled Task around this event. Additionally, admins can perform one of three following tasks when this event ID occurs.
Run a program
Send an email
Display a message
To Run a Task in Response to an Event
Open Event Viewer.
In the console tree, navigate to the log that contains the Event ID 4728
Right-click the event and select Attach Task to This Event .
Walkthrough each step presented by the Create Basic Task Wizard and choose the preferred task to run or the way of getting notified.
Related Articles
Active Directory Group Objects Management
As the self-explanatory name suggests, this object is meant to represent a group. In AD, a group is an object which can contain a collection of users, or computers, or contacts, or even other groups as members .It simplifies administrative burden. ...
Detecting changes in privileged accounts in Azure AD
Monitoring and protecting privileged accounts is paramount because failure to do so can lead to loss or theft of sensitive information, or enable malware to compromise your network. Privileged accounts can include global administrators, Azure ...
Group Policy
In a nutshell, a Group Policy is a collection of settings, which determine how a unit of users/computers should behave. The Two Types of Group Policies: Administrators can use Group Policies to enforce a set of configuration settings to both the ...
Active Directory Objects
Real-world entities such as users, computers are represented as objects in Active Directory. Objects are the fulcrum for the very existence of Active Directory. One important aspect with respect to object characteristics is that some of the objects ...
Active Directory Security Baseline: Explained
Every business organization is different from one another. They serve their customers differently, their end users behave differently, and ultimately, the way that the organization handles cyber threat is vastly different from one another. Healthcare ...