Auditing Group Membership Changes in AD

While Active Directory Security Auditing needs to be enabled for many changes in AD to be logged, changes to Global Security groups are logged by default.

The events are logged in the Security log, under the Task Category of Security Group Management.

• Event ID 4737 is logged a when a global security group is modified.
• Event ID 4728 is logged when something is added to a security enabled global group
• Event ID 4729 is logged when something is removed from a security enabled global group

This means you will typically see Event Id 4737 plus 4728 and/or 4729 depending on the changes.

The description shows who made the changes, to which group, and what the change was. In the example below, an administrative account called sysadmin added a users account, called useraccount to a security group called SecurityGroup in the DOMAIN AD domain.

A member was added to a security-enabled global group.

Subject:
	Security ID:		DOMAIN\sysadmin
	Account Name:		sysadmin
	Account Domain:		DOMAIN
	Logon ID:			0x2263854F

Member:
	Security ID:		DOMAIN\useraccount
	Account Name:		CN=useraccount,OU=Headoffice,OU=Users,OU=COMPANY,DC=corp,DC=local

Group:
	Security ID:		DOMAIN\SecurityGroup
	Group Name:			SecurityGroup
	Group Domain:		DOMAIN

Additional Information:
	Privileges:		-

This data can be extracted with PowerShell

Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4728,4729;} | select TimeCreated, Message | Format-List

Alternatively, if you need to need to sort search through archived logs.

$LogPath = "C:\Windows\System32\winevt\Logs"
$Logs = Get-ChildItem -Include Archive-Security*  -Path $LogPath -Recurse

foreach ($Log in $Logs) {
    Write-Host "Checking Log: $Log"
    Get-WinEvent -FilterHashtable @{Path = $Log.FullName; ID=4728,4729;} -ErrorAction SilentlyContinue | select TimeCreated, message | Format-List
}