How to Monitor Active Directory Group Membership Changes

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory

In order to monitor AD group membership changes with PowerShell:

  1. Open the PowerShell ISE.
  2. Copy and run the following script, adjusting the timeframe in the PowerShell code:

# Get domain controllers list
$DCs = Get-ADDomainController -Filter *

# Define timeframe for report (default is 1 day)
$startDate = (get-date).AddDays(-1)

# Store group membership changes events from the security event logs in an array.
foreach ($DC in $DCs){
$events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4728 -or $_.eventID -eq 4729}}

# Loop through each stored event; print all changes to security global group members with when, who, what details.

  foreach ($e in $events){
    # Member Added to Group

    if (($e.EventID -eq 4728 )){
      write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member added `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount added: "$e.ReplacementStrings[0]
    # Member Removed from Group
    if (($e.EventID -eq 4729 )) {
      write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member removed `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount removed: "$e.ReplacementStrings[0]

PowerShell group membership changes report
  1. Run Netwrix Auditor → Click on “Reports” → Open “Active Directory” → Go to “Active Directory Changes” → Select “Security Group Membership Changes” → Click “View”.
  2. If you want to get this report by email regularly, click the "Subscribe" option and define the schedule and recipients.
  3. To export the report to PDF, click the “Save” button and select where you want to save the file.
Netwrix Auditor Security Group Membership Changes report: shows changes to the membership of security groups

Audit Changes to Active Directory Group Membership 

Best practices recommend controlling access permissions by assigning users to Active Directory groups. Of course, permissions assignment is not a once-and-done task; domain admins have the never-ending job of ensuring that each user’s group membership is exactly what they need to do their job. One way to tackle this issue is to use a PowerShell script to collect the Windows Security log and track account group membership changes. You can either run the script manually from time to time, or use the Windows task scheduler to run it automatically.

But there is a much better way to monitor AD group membership changes: get Netwrix Auditor’s “Security Group Membership Changes” report delivered automatically to your mailbox or uploaded to a Windows Server file share on the schedule you specify. The report provides all the details you need for audits and investigations, in a format that is easy to read and understand. 

Auditing group membership changes is not the only feature of Netwrix Auditor for Active Directory. You can also easily review the state of AD group membership, user accounts and their settings, changes to AD and Group Policy objects (GPOs), and both interactive and non-interactive logons. You can easily export any report to pdf or csv format to local computer or a file share for further review and investigation.

Related How-tos