In Windows and Active Directory, groups govern access to everything. And I mean everything in AD and beyond. It’s wise to separate groups into several types such as:
- Administrative – these are groups that come hard-coded in Windows and AD, and other groups you nest inside these
- Privileged – groups created in your environment to whom you delegate certain admin authority
- Resource Access – used for granting specific access levels to various resources
- User Role – sometimes separated from resource groups
- System – groups used for scoping the application group policy to sets of users or computer accounts, Windows Event Collection, etc.
Here's a short list of where AD groups are commonly referenced for resource access:
- File permissions
- Edit and scoping permissions on group policy objects
- Delegations in Active Directory
- Logon rights
- Logins in SQL Server
- Document library and site collection permissions in SharePoint
- Distribution lists in Exchange for confidential emails
- Even access to stuff in the cloud – after all Office 365 leverages Azure AD which in turn is often synchronized from the on-premise Active Directory
So you need to know when groups are changed in Active Directory – especially when members are added. But also when they are deleted because removing a member from a group assigned explicit deny permissions results in restrictions being loosened and likely access granted.
In this real training for free session, I will show you how to:
- Correctly configure all domain controllers to audit security group membership changes
- Determine if you should also audit distribution group changes
- Find group membership additions and deletions in the security log. Some of the events we’ll talk about are 4728, 4729, 4732, 4733, 4756 and 4757
- How to identify who made the change, which group was affected and who the member is
Then we’ll talk about what to do with these events once you find them. After all some groups are more important than others. Sure, built-in privileged groups like Domain Admins, but I’m also talking about groups used to grant users access to your most sensitive information. I'll explore ways you can zero in on the more privileged and sensitive groups. One of the things that makes this more challenging is how AD allows group nesting, so we’ll discuss how that impacts things as well.
Remember each DC logs only the changes originating on it and security logs are not replicated between domain controllers. That and other realities create gaps that our sponsor, ManageEngine, does a great job filling. Derek Melber, Microsoft MVP, will show you how to leverage the security logs to gain insights into privileged group changes. Not just the “admin” groups, but all groups that have privileges. These groups are located in Active Directory and locally on servers and workstations. Derek will show you how to not only monitor group changes, but also receive real-time alerts when these groups change, so you can take immediate action for errant changes.
Please join us for this real training for free event.