How to Monitor Active Directory Group Membership Changes


Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Open the PowerShell ISE → Run the following script, adjusting the timeframe:

    # Get domain controllers list
    $DCs = Get-ADDomainController -Filter *

    # Define timeframe for report (default is 1 day)
    $startDate = (get-date).AddDays(-1)

    # Store group membership changes events from the security event logs in an array.
    foreach ($DC in $DCs){
    $events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4728 -or $_.eventID -eq 4729}}

    # Loop through each stored event; print all changes to security global group members with when, who, what details.

      foreach ($e in $events){
        # Member Added to Group

        if (($e.EventID -eq 4728 )){
          write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member added `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount added: "$e.ReplacementStrings[0]
        }
        # Member Removed from Group
        if (($e.EventID -eq 4729 )) {
          write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member removed `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount removed: "$e.ReplacementStrings[0]
        }}

  2. Review the results:

PowerShell group membership changes report

  1. Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Active Directory Changes” → Select “Security Group Membership Changes” → Click “View”.

    If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.

Netwrix Auditor Security Group Membership Changes report: shows changes to the membership of security groups

Audit Active Directory Group Membership Changes

Security management best practices recommend controlling access permissions by assigning users to Active Directory groups. Of course, that requires the ongoing task of ensuring that group membership remains correct. One option is to use the PowerShell script provided above to audit account group membership changes regularly, either by remembering to run the script manually or by using Windows scheduled tasks.

But why bother with PowerShell scripting when you can monitor AD group membership changes far more easily and truly take control of your domain security? In just a few clicks, you can get Netwrix Auditor’s “Security Group Membership Changes” report right in your mailbox on the schedule you specify, or have it uploaded to a Windows Server file share for further audit.

And you don’t have to limit yourself to monitoring group membership changes — Netwrix Auditor for Active Directory enables you just as easily review current or past AD group membership; administrative group settings and other configurations of Active Directory and Group Policy; changes to those configurations; and both interactive and non-interactive logons. You can quickly export any report to pdf or csv format for further review and analysis.

Join the discussion