How to Detect Changes to Organizational Units and Groups in Active Directory

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
  1. Run GPMC.msc ( → Create a new GPO and edit it → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit account management → Define → Success
    • Audit directory service access → Define → Success.
  2. Return to the Security Settings level → Event Log:
    • Maximum security log size → Define to 4gb
    • Retention method for security log → Define to Overwrite events as needed.
  3. Link the new GPO: Go to "Group Policy Management" → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.
  4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
  5. Open ADSI Edit ( → Right-click ADSI Edit → Connect to Default naming context → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and Descendant objects" → Permissions → Select all check boxes by clicking on "Full Control", except the following: Full Control, List Contents, Read all properties, Read permissions → Click "OK".
  6. Open Event viewer and filter Security log to find event id's (Windows Server 2003/2008-2012):
    • 4727, 4731, 4754, 4759, 4744, 4749 – Group created
    • 4728, 4732, 4756, 4761, 4746, 4751 – Member added to a group
    • 4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
    • 4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
    • 4735, 4737, 4745, 4750, 4755, 4760 – Group changed
    • 4662 - An operation was performed on an object (Type: Directory Service Access).
Microsoft Windows Security Event 4662: an operation was performed on an object
  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "Data source"
      Operator = "Equals"
      Value = "Active Directory"
    • Filter = "Object type"
      Operator = "Equals"
      Value = "OrganizationalUnit"
    • Filter = "Object type"
      Operator = "Equals"
      Value = "Group"
  2. Click the "Search" button and review what changes were made to groups and organizational units.
Netwrix Auditor Search: detect changes to organizational units and groups in Active Directory

In order to create an alert on organizational units and groups modifications:

  1. From the search results, navigate to "Tools" → Click "Create alert" → Specify the new alert’s name.
  2. Switch to the "Recipients" tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click "Add" to save the alert.

Continuously Monitor Changes to OUs and Groups to Avoid System Downtime

Any unintentional or malicious change to Active Directory organizational units (OUs) can have serious repercussions. For example, if an Active Directory OU containing user accounts is deleted, users will not be able to log in, and those who are already logged in may experience troubles accessing email, file servers and other critical resources. The deletion of a group in Active Directory can result in the similar issues because users often gain important access permissions via group membership. All of these issues disrupt business workflows, hurt productivity and increase pressure on the help desk.

Netwrix Auditor for Active Directory can audit all changes made to groups and OUs in Active Directory and it can quickly reverse unauthorized modifications by restoring Active Directory objects. That is, if an unintentional or malicious change occurs, Netwrix Auditor for Active Directory can quickly revert all configuration settings to a previous state, without any downtime or having to restore from backup. It can also restore the passwords of users that were deleted. In other words, you can quickly turn back the clock on changes to OUs in Active Directory that may indicate a security threat.

Related How-tos