Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / How To Monitor Group Membership Changes in Active Directory

October 1, 2024

How To Monitor Group Membership Changes in Active Directory

It can be difficult to track exactly who made certain changes when the Active Directory domain infrastructure is managed by multiple administrators (added or removed a user from a security group). This article shows how to use an audit policy and a PowerShell script to automatically alert administrators (via e-mail or Messenger) when a new user is added to one of the privileged (administrative) AD groups (such as Domain Admins, Enterprise Admins, Schema Admins, etc.).

Contents:
  • Enable Audit Policy for AD Group Membership Changes
  • Report on Changed Privileged AD Groups with PowerShell
  • Alert Admin When a New User is Added to the AD Group
  • Monitor Active Directory Group Membership Changes Across All DCs

Enable Audit Policy for AD Group Membership Changes

Enable Group Policy to audit AD security group policy changes on the domain controllers.

  1. Open the domain Group Policy Management snap-in (gpmc.msc);
  2. Edit the Default Domain Controller Policy;
  3. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Configuration -> Account Management. Enable the policy Audit Security Group Management with Success events logging;Enable audit security group management policy in AD
  4. Once the new GPO settings have been applied, any changes to AD groups (creation, deletion, adding/removing users to/from groups) will result in an event being logged in the security log on the domain controller.

When a user is added to a group, an event with EventID 4732 will appear:

A member was added to a security-enabled global group.

Or the EventID 4728:

A member was added to a security-enabled local group.

The event description contains the following info:

  • Which security group has been changed: Group Name: DnsAdmins
  • The user who has been added to the group: Member: Security ID:
  • Who has made a change to the group membership: Subject: Account Name:

Event 4732: A member was added to a security-enabled group

Report on Changed Privileged AD Groups with PowerShell

You can use the Get-WinEvent PowerShell cmdlet to get information about all the recent 4732 and 4728 events from the Event Viewer on a domain controller in the last 24 hours:

$time = (get-date) - (new-timespan -hour 24)
$result = Get-WinEvent -FilterHashtable @{logname='Security';id=4732,4728;StartTime=$Time} -ErrorAction SilentlyContinue| ForEach-Object {
    $eventXml = ([xml]$_.ToXml()).Event
    [PSCustomObject]@{
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
        NewUser = $eventXml.EventData.Data[0]."#text"
        Group = $eventXml.EventData.Data[2]."#text"
        Admin = $eventXml.EventData.Data[6]."#text"
        Computer      = $eventXml.System.Computer
    }
}
$result | Format-Table -AutoSize 

PowerShell: list AD group change events

The script results will include the name of the changed AD group, which user account was added, and which administrator made the change (script based on the example in the post How to detect who created a user account in Active Directory).

Create a variable to filter changes to privileged user groups only:

$AdminGroups = @('Enterprise Admins', 'Domain Admins', 'DNSAdmins', 'Microsoft Exchange Servers')

A list of privileged groups in AD is available here https://learn.microsoft.com/en-us/defender-for-identity/entity-tags?WT.mc_id=AZ-MVP-5004810#sensitive-entities.

Now you only need to filter the events where privileged groups have been changed:

$filteredevents=$result | Where-Object { $_.Group -in $AdminGroups }

Alert when user added to domain admins group

Alert Admin When a New User is Added to the AD Group

Now you need to notify administrators of changes to privileged groups in AD. You can use the Send-MailMessage cmdlet to send an e-mail notification:

If ($filteredevents)
{
  $mailbody= $filteredevents|ConvertTo-Html
  {Send-MailMessage -SmtpServer war-msg01 -From [email protected] -To [email protected] -Subject "AD administrative groups have changed!" -Body $mailbody -Priority High}
}

Or send an alert to your messenger:

  • How to send notifications to Telegram from a PowerShell script
  • Sending a message to an MS Teams channel using PowerShell

Monitor Active Directory Group Membership Changes Across All DCs

If you have more than one domain controller, you will need to run this script on each of them.

Group membership change events are logged on the domain controller that your ADUC snap-in or PowerShell console (with the Add-ADGroupMember command) is connected to (this is usually the current Logon Server). As a result, you will need to check each DC to see if the specified events are present. You can use the script to loop through all the domain controllers:

$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs){
  Get-WinEvent -ComputerName $DC -FilterHashtable …
  …
}

But it’s more convenient to create a scheduler task on each of the DCs that will run your PowerShell script on a scheduled basis.

  1. Copy the PS1 file that contains the PowerShell script to the NETLOGON directory (\\woshub.com\NETLOGON);
  2. Assign a new GPO that creates a new scheduler task to the Domain Controllers OU (Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks). This is the task that will run your PowerShell script:
    On a schedule -> Daily
    Action: Start a program
    Program/Script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
    Add Arguments (optional): -ExecutionPolicy Bypass -command "& \\woshub.loc\NETLOGON\CheckADAdminsGroups.ps1"
  3. This means that the membership of the admin groups will be checked once a day and if new users are added to them, the admin will be notified. The notification will include the privileged group name, the name of the new user, and information about who added the user to the AD group.
If you want to be notified immediately when a user is added to the privileged administrators’ group, you must attach the Scheduler task to event codes 4732 and 4728 (Trigger -> New -> On an event -> Custom -> New Event Filter). For an example, see the article How to run a script (program) when a specific program is started (stopped) in Windows?

In domain infrastructures with a large number of Domain Controllers and administrators, you can use a centralized system to collect the logs from all of the DCs (ELK, Graylog, Splunk, etc.).

3 comments
2
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2019Windows Server 2022
previous post
Error 0x80073CFA: Can’t Uninstall Apps using Remove-AppxPackage in Windows 10
next post
Enable Access-based Enumeration (ABE) on Shared Folders (SMB)

Related Reading

How to Get My Public IP Address with...

October 24, 2023

How to See Number of Active User Sessions...

March 16, 2024

Disks and Partitions Management with Windows PowerShell

March 11, 2024

How to Create and Use a RAM Drive...

December 18, 2023

FTP Server Quick Setup on Windows 10/11 and...

March 16, 2024

Implementing Dynamic Groups in Active Directory with PowerShell

October 3, 2024

How to Find Large Files on a Computer...

September 26, 2024

How to Backup Hyper-V Virtual Machines (Tutorial)

November 9, 2023

3 comments

visitor February 7, 2020 - 1:43 pm

I tried the ‘Comparing the Current Members of the Domain Group with the Saved Template’ part but it doesn’t work. It writes the files with the correct content but something in diff goes wrong.

(Get-ADGroupMember -Identity “Domain Admins” -recursive).Name | Out-File C:\PS\DomainAdmins.txt
(Get-ADGroupMember -Identity “Domain Admins” -recursive).Name | Out-File C:\PS\DomainAdminsActual.txt
$old_adgroup_members=GC C:\PS\DomainAdmins.txt
$new_adgroup_members=GC C:\PS\DomainAdminsActual.txt
$diff=Compare-Object -ReferenceObject $old_adgroup_members -DifferenceObject $new_adgroup_members | Select-Object -ExpandProperty InputObject
write-host $diff
$result=(Compare-Object -ReferenceObject $old_adgroup_members -DifferenceObject $diff | Where-Object {$_.SideIndicator -eq “=>”} | Select-Object -ExpandProperty InputObject) -join “, ”
If ($result)
{msg * “A user $result has been added to Domain the Admins group”}

Compare-Object : Cannot bind argument to parameter ‘DifferenceObject’ because it is null.
At C:\ps\da2.ps1:7 char:81
+ … -ReferenceObject $old_adgroup_members -DifferenceObject $diff | Where …
+ ~~~~~
+ CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CompareObje
ctCommand

Reply
admin February 11, 2020 - 7:36 am

Please, make sure that your DomainAdmins.txt and DomainAdminsActual.txt files are not empty.

Reply
Visitor January 27, 2021 - 3:58 pm

This only seems to work if you add users to security groups on the domain controller itself, not if someone adds a user on their workstation — it won’t generate an event on the DC. I’m only getting event ID 4728 when the user is added locally on the DC. If I add a user to a security group on my workstation via AD, I generate event ID 4732 on my local workstation, but nothing on the DC.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Implementing Dynamic Groups in Active Directory with PowerShell
  • Fix: Slow Logins Caused by Long Group Policy Processing
  • How to Deploy Certificates to Computers Using Group Policy
  • Configuring Kerberos Authentication in Different Browsers
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top