We had a request today to monitor actual changes to group membership in real time. Real time? is that possible? Hmmm.
There are many commercial tools that monitor and manage event logs, but we had to work with the current monitoring system and Windows.
Task: Report changes made to group memberships in Active Directory.
Now I’ve got access to Enterprise Security Reporter which would be ideal for monitoring the changes between 2 dates but this doesn’t work in real time. I’ve looked at Powershell, but again the script would run on a scheduled task.
Solution: Enable auditing on domain controller and watch the event logs.
Yes, it is as simple as that and to make it even easier your can enable a Group Policy on all the domain controllers to ensure this option is set.
- On your domain controller open Start > Administration Tools > Domain Controller Security Policy
- Expand Local polices and click on Audit Policy
- Edit Audit account management and select Success
- Do this to all your Domain Controllers or Apply a GPO (See below)
- Watch the event log for the following Event IDs
631 = Global Group Created
632 = Global Group Member Added
633 = Global Group Member Removed
634 = Global Group Deleted
641 = Global Group Changed
Now I guess your wondering how do we make use of this information? Well in this case our monitoring system will look for the the above event and push them to an SQL database, we can then query them later or create reports.
You can add this rule to your existing GPO, but I prefer to create a new GPO for each rule and then apply to a security group.
- Open the GPO editor
- Create a new policy and give it a name
- Expand Computer Configuration > Windows Settings > Local policies > Audit Policy
- Select Audit account management
- Check the boxes Define these policy settings and Success
- Apply this GPO all the Domain Controllers or use a security group
It is assumed you have some kind of monitoring system that will read the event logs and that will alert or record changes.