Share via

Active Directory Group Membership Change Auditing

Anonymous
2024-03-12T14:15:20+00:00

Hi Everyone.

I am trying to figure out how to audit where group changes are initiated in AD. Auditing is enabled and aggregates in a SIEM.

When a change occurs I see this chain of event IDs:

4662 - An operation was performed on an object.

4732 - A member was added to a security-enabled local group.

4735 - A security-enabled local group was changed.

I can tell what domain controller is processing the change, and the credential used, but I cannot see the workstation / device triggering the change, only the DC processing the change.

My issue is that I am trying to track down where a benign script is running.

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-13T07:16:46+00:00

    Hi CMGuy1,

    Thank you for posting in the Microsoft Community Forum.

    In the Windows event logs, event IDs 4662, 4732, and 4735 provide information about object operations, but they do not include details about the workstation or device that triggered the change. These events typically only record operations performed on domain controllers and do not offer detailed information about the source of the operation.

    If you want to determine information about the workstation or device that triggered the change, you may need to consider the following methods:

    • Network Logs: Check logs on network devices or firewalls, which may record network activity related to the triggered operation.
    • Security Information and Event Management (SIEM): If your organization uses a SIEM solution, you can review logs within the SIEM, which may provide a broader view, including information about devices involved in triggering the change.
    • Audit Policies: Deploy stricter audit policies in the network to record more activities, including user logins and access control changes. This can help provide more information about the source of the operation.
    • Network Traffic Analysis: Analyze network traffic, which may reveal network activity related to the triggered operation and provide clues about the source of the operation.
    • Other Security Tools: Utilize other security tools such as Endpoint Detection and Response (EDR) systems or behavior analysis tools, which may offer additional information about the devices involved in triggering the change.

    In summary, obtaining information about the workstation or device that triggered the change typically requires considering multiple data sources and security tools to gain a more comprehensive view.

    Best regards

    Neuvi Jiang

    1 person found this answer helpful.
    0 comments