Wednesday, November 4, 2015

Monitor Active Directory Security Group membership changes

In many environments permission to add members to strong security groups (lets say Domain Admins group) is granted to many users.
Sometime those permissions are getting out of hand, so audit those group membership become vital.
In this post I would like to demonstrate how to audit security groups with build-in tools.

First step
Enable Audit account management to success in default domain controller policy (enabled by default):



Second step
Enable auditing for the OU the security group reside:



Once enabled, each group membership changes to one of the security group in that OU will be record in security event log.
It is important to now that all groups in that OU will be impact from that settings so don't add to many groups to that OU (otherwise you wont be able to know wich group membership was changed).
In order to audit Domain Admins group it is necessary to move that group to new OU and enable auditing for that new OU.

Third step
Make change to the security group and review security event log.
Most important events we are interested with are:
  • 4728 - A member was added to a security-enabled global group.
  • 4729 - A member was removed from a security-enabled global group.
Forth step
Attach a task to the relevant event.
Once found the desired event, attach task to it:


Name the new task:


choose desire action.
You have the option to start the following each time that event is triggered:
  • Start a program (script\PowerShell\batch\ etc...)
  • Send an E-Mail
  • Display a message.
In this example I will use me Exchange server to send a mail:


On Send an E-Mail page, fill out the following:
  • From: the mailbox name the message was sent from.
  • To: the mailbox the message will arrive.
  • Subject: relevant subject
  • SMTP Server: your Exchange server (or any other SMTP server).


Note: You will have to create tasks in each of your DC's in the environment.
One option is to export the task to xml file from Task Scheduler and import it to other DC's manually or with any automation solution (script\GPO\SCCM\etc...).



Security group changes events:
https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx

No comments:

Post a Comment