How to Detect Who Added a User to Domain Admins Group

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Configure Audit Policy Settings by running GPMC.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Define → Success.
  2. Configure object-level Active Directory auditing settings by opening ADSI Edit → Connect to "Default naming context"→ Click "OK" → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and Descendant objects" → Permissions: → Select all check boxes except the following: "Full Control", "List Contents", "Read all properties", "Read permissions" → Click "OK".
  3. Enlarge security event log capacity by running GPMC.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:
    a. Maximum security log size to 1gb
    b. Retention method for security log to "Overwrite events as needed"
    Run "gpupdate /force" command.
  4. Run eventvwr.msc and filter security log for event id 4728 to detect when users are added to security-enabled global groups. The group name in our case is "Domain Admins".
Event Viewer: event id 4728
  1. Run Netwrix Auditor → Navigate to "Alerts" → Find a predefined alert "Group Membership Changes" → Enable it: change "Mode" to "On".
  2. Double-click on the alert → Navigate to "Recipients" and specify email addresses you’d like the alert to be delivered to.

Whenever someone modifies the Domain Admins group, you will receive a similar alert:

Netwrix Auditor Alert on Group Membership Changes

Detect Users with Excessive Permissions in the Domain Admins Group to Ensure the Integrity of Active Directory

Adding a user to the Domain Admins group grants that user full access rights to Active Directory and other IT systems that use Windows authentication. If an IT pro adds a user to Admins without a valid reason, it can result in the deletion of critical organizational units, domain controller shutdown or a security breach. To ensure system security, it’s vital to continuously monitor all changes made to the Domain Admins group and be able to quickly determine who added a user to the Domain Admins group.

Netwrix Auditor for Active Directory enables you to monitor all actions in Active Directory, including when someone adds a user to the Domain Admins group, and provides all the critical who-what-when-where details. Moreover, appropriate IT team members are automatically notified whenever somebody has added a user to the Domain Admins Group, so they can quickly investigate whether the change was authorized and revert it if necessary. Netwrix Auditor for Active Directory helps you ensure the integrity of Active Directory and keep an eye on who adds a domain user.

Related How-tos