How to Detect Changes to Organizational Units and Groups in Active Directory

Accidental or malicious changes to Organizational Units (OU) and groups in Active Directory almost inevitably lead to trouble for IT departments. Here are some of the most common examples:

  • if an OU that contains “User Accounts” is deleted, users will not be able to log in or experience difficulty accessing IT services such as e-mail, messenger, SharePoint, etc.;
  • deletion of an OU containing “Computer Accounts” may lead to inability to apply group policies due to IP address changes;
  • deletion of an OU containing “Printers” leaves users with no ability to use printers and thus increases pressure on the Help Desk.

In order to avoid these and many other negative consequences, it’s necessary to monitor changes to Organizational Units and groups in Active Directory on a regular basis and promptly respond to the unwanted ones.

Below you can find two ways to set up the tracking of changes. Including one of them in your security strategy will keep you aware of unauthorized changes made to Active Directory Organizational Units and groups.

Native Auditing

1. Run GPMC.msc (url2open.com/gpmc) > Right-click “Default Domain Policy” and chose “Edit” > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy:

  • Audit account management > Define > Success
  • Audit directory service access > Define > Success.

2. Return to the Security Settings level > Event Log:

  • Maximum security log size > Define to 1gb
  • Retention method for security log > Define to Overwrite events as needed.

3. Run “gpupdate /force” command.

4. Open ADSI Edit (url2open.com/adsi) > Right-click ADSI Edit > Connect to Default naming context > Right-click DomainDNS object with the name of your domain > Properties > Security (Tab) > Advanced (Button) > Auditing (Tab) > Add Principal “Everyone” > Type “Success” > Applies to “This object and Descendant objects” > Permissions > Select all check boxes by clicking on “Full Control”, except the following: Full Control, List Contents, Read all properties, Read permissions > Click “OK”.

5. Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):

  • 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
  • 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
  • 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
  • 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
  • 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
  • 566/4662 – An operation was performed on an object (Type: Directory Service Access).

Netwrix Auditor for Active Directory

1. Run Netwrix Auditor > Managed Objects > Your.domain > Click “Run” to gather logs (log gathering is performed automatically on specified schedule; here you may need to click “Run” button manually in order to avoid waiting the next scheduled data collection) > Open an e-mail received after log gathering.

Hopefully, this guide will help you detect unwanted changes and keep such an important part of IT-environment as Active Directory secure and take the burden off the audits.