Monitoring Group Membership Changes in Active Directory


In Active Directory, groups govern access to everything. And I mean everything in AD and beyond. Here's a short list of where AD groups are commonly referenced

  • File permissions
  • Delegated admin authority on organizational units
  • Edit and scoping permissions on group policy objects
  • System privileges in Windows
  • Logins in SQL Server
  • Document library and site collection permissions in SharePoint
  • Distribution lists in Exchange for confidential emails
  • Even access to stuff in the cloud – after all Office 365 leverages Azure AD which in turn is often synchronized from the on-premise Active Directory

So you need to know when groups are changed in Active Directory – especially when members are added. But also when they are deleted because removing a member from a group assigned explicit deny permissions results in restrictions being loosed and likely access granted.

In this Security Log Secrets webinar, I will show you how to

  1. Correctly configure all domain controllers to audit security group membership changes
  2. Determine if you should also audit distribution group changes
  3. Find group membership additions and deletions in the security log. Some of the events we’ll talk about are 4728, 4729, 4732, 4733, 4756 and 4757
  4. How to identify who made the change, which group was affected and who the member is

Then we’ll talk about what to do with these events once you find them. After all some groups are more important than others. Sure built-in privileged groups like Domain Admins but I’m also talking about groups used to grant users access to your most sensitive information. I'll explore ways you can zero in on the more privileged and sensitive groups. One of the things that makes this more challenging is how AD allows group nesting so we’ll discuss how that impacts things as well.

Remember each DC logs only the changes originating on it and security logs are not replicated between domain controllers. That's where your SIEM comes in of course. For this webinar I'll be using SolarWinds’ Log and Event Manager (LEM) since they are making this real training for free Security Log Secrets webinar possible. There will be no presentation by the sponsor. Just you, me, the Security Log and LEM. If you'd like to download LEM ahead of time, click here, and start collecting events from your domain controllers.

Don't miss this real training for free ™ event. Please register now.



Additional Resources