Applies to: Windows Server 2008, 2008 R2 and 2012
Requirement: You would like to investigate who has added or removed a specific Domain User in Domain Admins or Group Policy Creator Owners
Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)
When a User is Added to Security-Enabled GLOBAL Group, an event will be logged with Event ID:
4728
Event Details for Event ID: 4728
A member was added to a security-enabled global group.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x50B79DA
Member:
Security ID: TESTLAB\Temp
Account Name: CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET
Group:
Security ID: TESTLAB\Domain Admins
Group Name: Domain Admins
Group Domain: TESTLAB
In this example, TESTLAB\Santosh has added user TESTLAB\Temp to Domain Admins group.
When a User is removed from Security-Enabled GLOBAL Group, an event will be logged with Event ID: 4729
Event Details for Event ID: 4729
A member was removed from a security-enabled global group.
Subject:
Event Details for Event ID: 4729
A member was removed from a security-enabled global group.
Segoe UI',sans-serif;font-size:9pt;"> Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x50B79DA
Member:
Security ID: TESTLAB\Temp
Account Name: CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET
Group:
Security ID: TESTLAB\Domain Admins
Group Name: Domain Admins
Group Domain: TESTLAB
In this example,
TESTLAB\Santosh has removed user TESTLAB\Temp from Domain Admins group.
- End of the Article -
Event ID when a user is added or removed from security-enabled UNIVERSAL group such as Enterprise Admins
Event ID when a user is added or removed from security-enabled DOMAIN LOCAL group such as DnsAdmins group
Configuring Audit Policies
Strengthening Domain Controller Policy Settings
Reviewing Audit Settings on Important Active Directory Objects
Recommendations: Strengthening Domain and Domain Controller Policy Settings