Applies to: Windows Server 2008, 2008 R2 and 2012

Requirement:  You would like to investigate who has added or removed a specific Domain User in Enterprise Admins group

Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)



When a User is Added to Security-Enabled UNIVERSALGroup, an event will be logged with Event ID: 4756



Event Details for Event ID: 4756

A member was added to a security-enabled universal group.

Subject:
                Security ID:                            TESTLAB\Santosh
                Account Name:                    Santosh
                Account Domain:                 TESTLAB
                Logon ID:                               0x50B79DA

Member:
                Security ID:                            TESTLAB\Temp
                Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:
                Security ID:                            TESTLAB\Enterprise Admins
                Account Name:                    Enterprise Admins
                Account Domain:                 TESTLAB

bsp;      Account Name: &nbs
In this example, TESTLAB\Santosh has added user TESTLAB\Temp to Enterprise Admins group

When a User is removed from Security-Enabled GLOBAL Group, an event will be logged with Event ID: 4757



Event Details for Event ID: 4757

A member was removed from a security-enabled universal group.

Subject:
                Security ID:                            TESTLAB\Santosh
                Account Name:                    Santosh
                Account Domain:                 TESTLAB
                Logon ID:                               0x50B79DA

Member:
                Security ID:                            TESTLAB\Temp
                Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:
                Security ID:                            TESTLAB\Enterprise Admins
                Group Name:                        Enterprise Admins
                Group Domain:                     TESTLAB


 In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from Enterprise Admins group.

- End of the Article -

See also:

Event ID when a user is added or removed from security-enabled GLOBAL group such as Domain Admins or Group Policy Creator Owners

Event ID when a user is added or removed from security-enabled DOMAIN LOCAL group such as DnsAdmins group

Configuring Audit Policies   

Strengthening Domain Controller Policy Settings   

Reviewing Audit Settings on Important Active Directory Objects   


Reviewing Audit Settings on Important Active Directory Objects  Recommendations: Strengthening Domain and Domain Controller Policy Settings