How to find who modified a group in AD

Hey folks, is there a tool or a way you can tell who updated the membership of a security group. Auditing is not turned on in our domain, and even if it were it would be a nightmare sifting through millions of event logs (even with filtering).

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

RobertKaucher

If you had auditing enabled, a quick PowerShell script would find it for you. I don't believe there is any way to determine who made the change w/o it being enabled.

blargoe

It's not THAT big of a deal to find it as long as 1) you have auditing enabled and 2) you catch the change soon enough for the logs not to have been overwritten. Changes to a group account is a specific event ID number, and it is relatively uncommon compared to the other events you would find on a DC. A tool like EventCombMT would find it without a lot of effort on your part if you tell it to search for that event ID. But you have to have auditing enabled.

If this group is a group that should not have its membership changed (or not changed other than by a domain admin), you can set up a Restricted Groups GPO on the domain and set the Members to be only the user accounts that you deem should be in that group. If someone goes into the group object and adds someone, it would be automatically removed at the next GP refresh. The only way for the group to be changed would be for someone to change the GPO.

Essendon

Thanks for the info, Robert and blargoe.