Auditing Group Membership Changes in AD
Posted on August 09, 2018
- and tagged as
- active-directory,
- powershell,
- security
While Active Directory Security Auditing needs to be enabled for many changes in AD to be logged, changes to Global Security groups are logged by default.
The events are logged in the Security
log, under the Task Category of Security Group Management
.
- Event ID 4737 is logged a when a global security group is modified.
- Event ID 4728 is logged when something is added to a security enabled global group
- Event ID 4729 is logged when something is removed from a security enabled global group
This means you will typically see Event Id 4737 plus 4728 and/or 4729 depending on the changes.
The description shows who made the changes, to which group, and what the change was. In the example below, an administrative account called sysadmin
added a users account, called useraccount
to a security group called SecurityGroup
in the DOMAIN
AD domain.
A member was added to a security-enabled global group.
Subject:
Security ID: DOMAIN\sysadmin
Account Name: sysadmin
Account Domain: DOMAIN
Logon ID: 0x2263854F
Member:
Security ID: DOMAIN\useraccount
Account Name: CN=useraccount,OU=Headoffice,OU=Users,OU=COMPANY,DC=corp,DC=local
Group:
Security ID: DOMAIN\SecurityGroup
Group Name: SecurityGroup
Group Domain: DOMAIN
Additional Information:
Privileges: -
This data can be extracted with PowerShell
Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4728,4729;} | select TimeCreated, Message | Format-List
Alternatively, if you need to need to sort search through archived logs.
$LogPath = "C:\Windows\System32\winevt\Logs"
$Logs = Get-ChildItem -Include Archive-Security* -Path $LogPath -Recurse
foreach ($Log in $Logs) {
Write-Host "Checking Log: $Log"
Get-WinEvent -FilterHashtable @{Path = $Log.FullName; ID=4728,4729;} -ErrorAction SilentlyContinue | select TimeCreated, message | Format-List
}