Adding a user to the Domain Admins group grants that user full access rights to Active Directory and other IT systems that use Windows authentication. If an IT pro adds a user to admins without a valid reason, it may result in deletion of critical organizational units, domain controller shutdown, or a security breach. To promptly determine who added a user to the Domain Admins group and ensure system security, it’s vital to continuously perform user activity monitoring including tracking all changes made to this group.
This how-to will show you two ways of detecting users with excessive permissions in the Domain Admins group to ensure that your data is safe and only eligible users can access it.
Native Auditing Tool
- Configure Audit Policy Settings by running GPMC.msc -> Edit “Default Domain Policy” -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit account management -> Define -> Success.
- Configure object-level Active Directory auditing settings by opening ADSI Edit -> Connect to “Default naming context”-> Click “OK” -> Right-click DomainDNS object with the name of your domain -> Properties -> Security (Tab) -> Advanced (Button) -> Auditing (Tab) -> Add Principal “Everyone” -> Type “Success” -> Applies to “This object and Descendant objects” -> Permissions: -> Select all check boxes except the following: “Full Control”, “List Contents”, “Read all properties”, “Read permissions” -> Click “OK”.
- Enlarge security event log capacity by running GPMC.msc -> Edit “Default Domain Policy” -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log -> Define:
a. Maximum security log size to 1gb
b. Retention method for security log to “Overwrite events as needed”
Run “gpupdate /force” command.
Run eventvwr.msc and filter security log for event id 4728 to detect when users are added to security-enabled global groups. The group name in our case is “Domain Admins”.
Netwrix Auditor for Active Directory
Netwrix Auditor for Active Directory can audit all changes made to Domain Admins group in Active Directory and it can quickly reverse unauthorized modifications by restoring Active Directory objects.
- Run Netwrix Auditor Administrative Console. Enable “Changes to Admin Group Membership” alert in Netwrix Auditor ? domain.name ? Active Directory ? Real-Time Alerts folder.
All changes to Domain Admins Group will be sent to your e-mail automatically right after they happen.