Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who added a user to the Domain Admins group

Start your free trial

The Domain Admins group in Active Directory (AD) is used to assign administrative roles to users in the domain. By default, it's a member of the Administrators group and therefore carries a set of privileges associated with it.

Members of the Domain Admins group have unrestricted access to shared resources and AD objects. On account of the privilege it holds, memberships and membership changes of the Domain Admins group must be extensively audited. This page elaborates the steps for auditing activities of this group.

Steps to enable auditing using the Group Policy Management Console (GPMC):

Perform the following actions on the domain controller (DC):

  1. Press Start, then search for and open the Group Policy Management Console, or run the command gpmc.msc.
How to detect who added a user to the Domain Admins group
  1. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here... If you have already created a Group Policy Object (GPO), go to step 4.
How to detect who added a user to the Domain Admins group
  1. Name the GPO.
  2. Right-click the GPO, and choose Edit.
How to detect who added a user to the Domain Admins group
  1. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
How to detect who added a user to the Domain Admins group
  1. In the right pane, you will see a list of policies under Audit Policy. Double-click Audit account management, and check the boxes next to Define these policy settings, Success, and Failure.
How to detect who added a user to the Domain Admins group
  1. Click Apply, then OK.
  2. Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
How to detect who added a user to the Domain Admins group

Once this policy is enabled, whenever a user is added to the security-enabled group, corresponding events are logged under the DC's security log category.

Steps to view these events using Event Viewer

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

  1. Press Start, search for Event Viewer, and click to open it.
  2. In the left pane of the Event Viewer window, navigate to Windows Logs → Security.
  3. Here, you will find a list of all the security events that are logged in the system.
How to detect who added a user to the Domain Admins group
  1. In the right pane, under Security, click Filter Current Log.
How to detect who added a user to the Domain Admins group
  1. In the pop-up window, enter 4728 in the field labeled <All Event IDs>.
  2. Click OK. This will provide a list of occurrences of Event ID 4728, which is logged when a new user is added to a security group.
  3. Double-click the Event ID to view its properties (description). Look for Domain Admins under Group Name in the description.
How to detect who added a user to the Domain Admins group

The section labeled Subject shows who added the new user.
The section labeled Member shows the name and SID of the new user that was added to the group.

This method is exhausting since you have to view each event's description to find the one that pertains to the Domain Admins group.

ADAudit Plus, a streamlined AD auditing tool, enables admins to effortlessly audit security group membership changes and other group management information.

Detect who added a user to the Domain Admins group using ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Configure auditing on your domain controller.
  3. Open the console, and log in as an administrator.
  4. Navigate to Reports → Active Directory → Group management → Recently Added Members to Security Groups.
  5. Click the search icon.
  6. Enter Domain Admins in the field under GROUP NAME, and press enter.
1
 

Distinctly monitor all AD events, and see who added the user to the Domain Admin group along with details on when and where.

2
 

Configure alerts, and receive notifications via SMS or email whenever a user account is added to a security-enabled group.

How to detect who added a user to the Domain Admins group

Distinctly monitor all AD events, and see who added the user to the Domain Admin group along with details on when and where.
Configure alerts, and receive notifications via SMS or email whenever a user account is added to a security-enabled group.

Advantages of using ADAudit Plus over native auditing:

  • Audit all changes made to AD (on-premises and Azure) objects, and monitor user activity across member servers and workstations in real time.
  • Keep track of user logon activity, and troubleshoot account lockouts faster with the Account Lockout Analyzer.
  • Detect insider threats accurately with a user behavior analytics (UBA)-driven approach to AD auditing, and receive alert notifications via SMS or email when suspicious activity is uncovered.
 

ADAudit Plus Trusted By