Pages

Search This Blog

Friday, August 10, 2012

Monitor Group Membership Changes in a real-time manner

One of the common security issues for IT admins is monitoring Active Directory groups memberships , so a notification is raised for each time a member is added to a group .

Most of admins assume that an expensive monitoring system must be in place in order to accomplish this task , fortunately this is a wrong  assumptions . All you need is the following  :

Enable account management audit :

  • On a domain controller open Start > Administrative Tools > Group Policy Management
  • Create a new Group Policy Object ( GPO ) linked to domain controllers OU with a descriptive name [ For my lab I named it Audit Account Management ]

image

  • Edit the newly created GPO as follow : Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy , then set enable for Audit account management at least for success 

image

Check Security logs at Event Viewer

  • Now , as soon the policy take effect , and a group modification is made ( a member is added to the group ) , some events will appear at Security log within Event Viewer indicating who did the action , when , where ( group name ) and whom was added to the group , as shown below

image

  • What really concerns us is that with ID 4728 which indicates that a change on a security enabled global group

image

The below table summarize the events IDs for both adding and removing of members to any Active Directory group :

Group scope

Adding a member ( Event ID )

Removing a member ( Event ID )

Global

4728

4729

Universal

4756

4757

Domain local

4732

4733

Although this may be sufficient for some admins , it may not be for others as it requires navigation to Event Viewer and perform events filtering on  regular basis to check whether or whether not a group membership was modified by adding or removing member(s). In order to overcome this obstacle , we can integrate Event Viewer with our Exchange mailing system so that a mail is sent for every time any of these IDs appeared at Event Viewer’s security logs , as follow :

image

Then proceed with the wizard as follow :
 
image image
image image
image image

By default this task will only run when the user who created it is logged on.  Change the task to run under the NT Authority\SYSTEM account by clicking the Change User or Group button and entering the local SYSTEM account.  This will also configure the task to run whether the user is logged on or not. 

You can set it for multiple groups modification events IDs , and hence you will be notified for each group membership modification . Hot smile