Info about Event logs (Active directory)

Question

Recently 3 of my Active directory admins are unable to login to AD server through RDP.

After we cross checked everything, we found these 3 users are added in one security group called "Deny RDP access" after i removed users from this group they are able to login now.

I just want to check is there any logs that can give me information about who added these 3 users into this "Deny RDP access" group ?

Is this security group(Deny RDP Access) is default or created one ??

If its created one, how to check who created it ?

Thanks,
Ram

Answer 1

Hello,

Thank you so much for posting here.

To check the logs of new created security group and the member is added to this group and who creates this group, we could configure the below audit policy.

And then check the Event Viewer to check the security events as shown below.

Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management

As per my research, this security group (Deny RDP Access) should be created one since I did not find this group in my AD environment. If it is created one, there might be other configuration of deny log on through RDS, such as this group policy setting as shown below. We could kindly have a check whether this policy is configured or not.

Computer configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

Answer 2

HannahXiong-MSFT,

Thank you so much. i will check your suggestions and get back to you.

Answer 3

hannahxiong,

Unfortunately,
Didn't find any event logs.

anyways thanks. I learn some new things here..