Builtin Administrators group membership auditing
greetings,
could please tell me event id in security event log refers who changed membership of ad builting administrators group.
thanks.
redouane sarra
i wanted add because wanted add screen shot , more info since @ 2008. starting windows 2008 microsoft added advanced audit categories. bit easier work in 2008 r2 because exposed in gpo gui.
gp mvp darren wrote great blog on 1/20/2014 auditing worth reading http://sdmsoftware.com/group-policy-blog/group-policy-change-auditing-group-policy-blog/understanding-group-policy-change-auditing/
in case used advanced auditing can still use old audit account management too
once did added user account built in administrators group , security event in security event log on dc below
you can use tools eventcomb , log parser microsoft go through events. there lot of third party tools can help.
thanks
mike
http://adisfun.blogspot.com
follow @mekline
Windows Server > Directory Services
Comments
Post a Comment