To monitor and audit Active Directory group membership changes, you can enable the “Audit Directory Service Changes” policy and configure it to audit group membership changes. Here are the steps to do this:
- Open the Group Policy Management console on your domain controller.
- Create a new Group Policy Object or edit an existing one.
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies.
- Enable the “Audit Directory Service Changes” policy by right-clicking on it and selecting “Properties.”
- Check the “Success” and “Failure” checkboxes under the “Audit Group Membership” category.
- Click “OK” to save the changes.
- Apply the Group Policy Object to the relevant Organizational Unit (OU) or container.
Once this policy is enabled and configured, Active Directory will start auditing group membership changes. You can view these audit logs in the Event Viewer by following these steps:
- Open the Event Viewer on your domain controller.
- Navigate to Windows Logs -> Security.
- In the right-hand pane, click on “Filter Current Log.”
- In the “Event sources” dropdown menu, select “Microsoft Windows security auditing.”
- In the “Event ID” field, enter “4735” (group created), “4732” (group added to), or “4733” (group removed from).
- Click “OK” to apply the filter.
This will show you all the audit logs related to group membership changes, including the date and time of the change, the user who made the change, the group that was changed, and the member that was added or removed.
You can also use third-party Active Directory auditing tools that provide more advanced features and reporting capabilities.