Options
How to find who modified a group in AD
Hey folks, is there a tool or a way you can tell who updated the membership of a security group. Auditing is not turned on in our domain, and even if it were it would be a nightmare sifting through millions of event logs (even with filtering).
Comments
-
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■If you had auditing enabled, a quick PowerShell script would find it for you. I don't believe there is any way to determine who made the change w/o it being enabled.
-
Optionsblargoe Member Posts: 4,174 ■■■■■■■■■□It's not THAT big of a deal to find it as long as 1) you have auditing enabled and 2) you catch the change soon enough for the logs not to have been overwritten. Changes to a group account is a specific event ID number, and it is relatively uncommon compared to the other events you would find on a DC. A tool like EventCombMT would find it without a lot of effort on your part if you tell it to search for that event ID. But you have to have auditing enabled.
If this group is a group that should not have its membership changed (or not changed other than by a domain admin), you can set up a Restricted Groups GPO on the domain and set the Members to be only the user accounts that you deem should be in that group. If someone goes into the group object and adds someone, it would be automatically removed at the next GP refresh. The only way for the group to be changed would be for someone to change the GPO.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...