Event ID when a User is Added or Removed from Security-Enabled Global Group such as Domain Admins or Group Policy Creator Owners


Applies to: Windows Server 2008, 2008 R2 and 2012

Requirement:  You would like to investigate who has added or removed a specific Domain User in Domain Admins or Group Policy Creator Owners

Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)


When a User is Added to Security-Enabled GLOBAL Group, an event will be logged with Event ID: 4728

Event Details for Event ID: 4728

A member was added to a security-enabled global group.

Subject:

Security ID:                            TESTLAB\Santosh

Account Name:                    Santosh

Account Domain:                 TESTLAB

Logon ID:                               0x50B79DA

Member:

Security ID:                            TESTLAB\Temp

Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:

Security ID:                            TESTLAB\Domain Admins

Group Name:                        Domain Admins

Group Domain:                     TESTLAB

 

In this example, TESTLAB\Santosh has added user TESTLAB\Temp to Domain Admins group.

When a User is removed from Security-Enabled GLOBAL Group, an event will be logged with Event ID: 4729

Event Details for Event ID: 4729

A member was removed from a security-enabled global group.

Subject:

Security ID:                            TESTLAB\Santosh

Account Name:                    Santosh

Account Domain:                 TESTLAB

Logon ID:                               0x50B79DA

Member:

Security ID:                            TESTLAB\Temp

Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:

Security ID:                            TESTLAB\Domain Admins

Group Name:                        Domain Admins

Group Domain:                     TESTLAB

In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from Domain Admins group.

– End of the Article –

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: