none
Auditing of Domain Local Groups RRS feed

  • Question

  • So I have been searching online for some time now trying to find an event for changes made to Domain Local Groups. I have found the following event codes have to do with Security-Enabled Local Groups, 4731, 4735, 4734, 4732, and 4733. However these all have to do with "Builtin Local Groups" not "Domain Local Groups".

    For example I can see in the event log event 4732 where a user was added to "BUILTIN\Administrators", and when that user is removed from the same group I see event 4733. But I can't see any event on when a Domain Local Group has been changed.

    Note that "Domain Local Groups" are not the same as "Builtin Local Groups".

    Does anyone know of a good way to track down changes to "Domain Local Groups"?

    Monday, April 8, 2019 8:39 PM

Answers

All replies

  • Hello!

    First you will need to have auditing enabled on your Domain Controllers (DCs), what you're looking for are the following Group Policy Objects (GPOs):

    GPO Path:
    Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

    GPOs:

    • Audit Directory Service Access
    • Audit Directory Service Changes

    The Event IDs are as follows:

    Example:

    Hope this helps!

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Sunday, April 14, 2019 10:21 AM
    • Marked as answer by picilo59 Friday, May 3, 2019 5:26 PM
    • Unmarked as answer by picilo59 Friday, May 3, 2019 5:26 PM
    Monday, April 8, 2019 11:02 PM
  • Hi,

    Based on my knowledge, since domain local is one of the group scope, we can consider it as security/distribution group and navigate to the location as captured to audit it with audit security/distribution group management enabled. From https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

    Hope the information there can be helpful.

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 10, 2019 9:22 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided above was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 12, 2019 3:34 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 15, 2019 2:56 AM
    Moderator
  • Thank you, your answer above was what I needed.
    Friday, May 3, 2019 5:27 PM
  • Hi,

    It's my pleasure that my information was helpful to you.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 6, 2019 9:10 AM
    Moderator