Share via


How to Monitor Active Directory Group Membership Changes

Security management best practices recommend controlling access permissions by assigning users to Active Directory groups. Of course, that requires the ongoing task of ensuring that group membership remains correct. One option is to use the PowerShell script provided above to audit account group membership changes regularly, either by remembering to run the script manually or by using Windows scheduled tasks.

1. Open the PowerShell ISE → Run the following script, adjusting the timeframe:

# Get domain controllers list
$DCs = Get-ADDomainController -Filter *
 
# Define timeframe for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
 
# Store group membership changes events from the security event logs in an array.
foreach ($DC in $DCs){
$events = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4728 -or $_.eventID -eq 4729}}
 
# Loop through each stored event; print all changes to security global group members with when, who, what details.
 
  foreach ($e in $events){
    # Member Added to Group
 
    if (($e.EventID -eq 4728 )){
      write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member added `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount added: "$e.ReplacementStrings[0]
    }
    # Member Removed from Group
    if (($e.EventID -eq 4729 )) {
      write-host "Group: "$e.ReplacementStrings[2] "`tAction: Member removed `tWhen: "$e.TimeGenerated "`tWho: "$e.ReplacementStrings[6] "`tAccount removed: "$e.ReplacementStrings[0]
    }}

2. Review the results:

https://img.netwrix.com/howtos/native_group_m.png

Originally posted: https://www.netwrix.com/how_to_monitor_ad_group_membership_changes.html