When a user is added to the Domain Admins group, they gain unrestricted access to shared resources and Active Directory objects alongside access to any other system that uses Windows authentication. Members of the Domain Admins group have unrestricted access to shared resources and AD objects.
If a user is added to the admins group without a valid reason, it could result in a security breach. Therefore, to ensure system security, it’s vital to continuously monitor all changes made to the Domain Admins group and to be able to easily find out who added a user to the Domain Admins group.
Native Method using Event Logs
Enabling auditing using the Group Policy Management Console (GPMC)
The following actions need to be carried out on the domain controller (DC):
- Open the Group Policy Management Console by choosing
- In the Group Policy Management Console, browse to the OU, right click and select Create a GPO in this domain, and Link it here. Name the GPO and then link it to an OU
- Right-click on the GPO, and choose Edit
- From the left pane of the Group Policy Management Editor, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy
- In the right pane, you will see a list of policies under Audit Policy. Double-click Audit account management and check the boxes next to Define these policy settings, Success, and Failure
- Click Apply, then OK
- From the Group Policy Management Console, in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update. This step ensures that the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
- Now that this policy is enabled, whenever a user is added to the security-enabled group, corresponding events are logged under the DC’s security log category.
View these Events using the Event Viewer
Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:
- Press Start, search for Event Viewer, and click to open it
- From the left pane of the Event Viewer window, navigate to Windows Logs, Security
- This will show a list of all the security events that are logged on the system
- In the right pane, under Security, click Filter Current Log
- From this dialog box, enter 4728 in the field labeled
- Click OK
- This will provide a list of occurrences of Event ID 4728, which is logged when a new user is added to a security group
- Double-click the Event ID to view its properties. Look for Domain Admins under Group Name in the description
How Lepide Auditor Helps
As you can see, this method is time consuming and tedious as you need to view the description for each event separately to find the one that pertains to the Domain Admins group. A more straightforward method is to use the Lepide Auditor for Active Directory. Lepide’s Active Directory auditing software includes many pre-defined reports including the Admin Group Changes Report and an example of this report is shown as follows:
To run this report:
- Select Lepide Auditor, Reports
- From here, expand Active Directory
- Select Admin Group Changes
- Specify a date range
- Select Generate Report
The report is generated and can be filtered, sorted and exported to CSV and PDF format
