Share via

Active Directory: How to Detect Changes to OUs and Groups

Why Is It Important?

Any unintentional or malicious change to Active Directory organizational units (OUs) can have serious repercussions. For example, if an Active Directory OU containing user accounts is deleted, users will not be able to log in, and those who are already logged in may experience troubles accessing email, file servers and other critical resources. The deletion of a group in Active Directory can result in the similar issues because users often gain important access permissions via group membership. All of these issues disrupt business workflows, hurt productivity and increase pressure on the help desk.

Native Auditing

1. GPMC

Run GPMC.msc

Audit policy

  • Create a new policy, assign it to domain and choose "Edit"
  • Go to Computer Configuration
    • Policies
      • Windows Settings
        • Security Settings
          •  Local Policies
          • Audit Policy
  • Audit account management
    • Define: Success
  • Audit directory service access
    • Define: Success

Event log

  • In GPMC, return to the Security Settings level
    •  Event Log
  • Maximum security log size
    • Define: 4GB
  • Retention method for security log
    •  Define: Overwrite events as needed.

2. GPupdate

Run "gpupdate /force" command.

3. Adsiedit

  • Open ADSI Edit
  • Right-click ADSI Edit
  • Connect to Default naming context
  • Right-click DomainDNS object with the name of your domain
  • Properties
    •  Security (Tab)
      •  Advanced (Button)
      •  Auditing (Tab)
        •  Add Principal "Everyone"
        •  Type "Success"
        •  Applies to "This object and Descendant objects"
        •  Permissions
        •  Select all check boxes by clicking on "Full Control", except the following:
          • Full Control, List Contents, Read all properties, Read permissions
      •  Click "OK".

4. Event Viewer

Open Event Viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):

Group created

  • 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749

Member added to a group

  • 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751

Member removed from a group

  • 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752

Group deleted

  • 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763

Group changed

  • 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760

An operation was performed on an object (Type: Directory Service Access)

  • 566/4662

https://img.netwrix.com/landings/howtofriday/Native_how_to_detect_changes_to_organizational_units_and_groups_in_active_directory.png

Real Life Use Case

View

 

Credits

Originally posted at https://www.netwrix.com/how_to_detect_changes_to_organizational_units_and_groups_in_active_directory.html