In many environments permission to add members to strong security groups (lets say Domain Admins group) is granted to many users.
Sometime those permissions are getting out of hand, so audit those group membership become vital.
In this post I would like to demonstrate how to audit security groups with build-in tools.
First step
Enable Audit account management to success in default domain controller policy (enabled by default):