Every single  administrator and auditor I know is concerned about privileged groups in Active Directory being changed incorrectly. On the flip side, not one administrator has the time to manage group membership at this level. Almost all auditor wants to know when a privileged group member is added or removed, but they feel they can’t ask the administrators for this level of detail on an ongoing basis. So what can be done?

You can setup auditing of Active Directory, so all group membership changes are tracked. This is an okay solution, but it has many drawbacks:

  1. Group membership changes are tracked by domain controller.
  2. The log of group membership changes is stored on each domain controller separately.
  3. There is no way to track a subset of group membership changes, such as only those groups that have elevated privileges.
  4. The Event Viewer does not have a good search or parser to view only the groups that have elevated privileges.

A better solution is to use ADAudit Plus by ManageEngine. This tool overcomes all the limitations of Windows auditing and Event Viewer while providing you with much more control and automation.

  1. Centralized storage of the changes to elevated privileged groups.
  2. A view of only the elevated privileged group modifications.
  3. The ability to add or remove what is considered to be a group with elevated privileges.
  4. The ability to filter a specific date range to view changes to elevated privileged groups.
  5. An option to send some alert (email, message, etc.) when a change occurs to one or more selected groups that have elevated privileges.
  6. The ability for an auditor to view and configure this information without the need to bother an administrator.

ADAudit Plus does all of these!

ADAudit Plus provides an easy-to-use interface to view a centralized list of all of the groups that your Active Directory ​enterprise has configured to have elevated privileges. First, you just need to configure that list for your environment, which is nothing more than adding your list of groups to the ADAudit profile:

Now that your list has been updated, you can generate a list of elevated privileged groups that have been modified, based on any date range you choose:

If you want an alert to be generated based on an elevated privilege group modification, you easily set that up:

Since ADAudit Plus has an ​easy-to-use, HTML-based interface ​that even a non-privileged auditor can generate the alerts and reports required to track the modification to these desired groups. To setup your own reports and alerts on your privileged groups, download ADAudit Plus here.