Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to check who removed account from local administrators group

Users are often added to a security enabled admin group and are given a higher level of access to critical resources that they're in need of. Sometimes while managing different user accounts, admins can make the occasional mistake of deleting a privileged user. That's why it's important to keep a track of which users have been removed from an administrative group.

In this article you'll learn to use native AD tools to check if a user has been removed from an administrator group. Also, if you want to know of a simpler way to do this, you can use a real-time auditing solution like ADAudit Plus. ADAudit Plus offers an intuitive interface to track down specific events. The solutions pre-configured reports are easy to generate and help you reduce your incident response time.

Download for Free
Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • How to use ADAudit Plus to check out when a user was removed from a local admin group.
  • Note: To enable the required auditing, please refer to Step 1 on the Native AD Auditing tab. After this you can follow the steps below to view the relevant events.

  • Navigate to the Server Audit Tab.

  • Choose the Local Account Management tab. You can then navigate to the pre-configured report named Recently Removed Members from Groups.

  • This gives you a report of the members who were removed from your AD groups.

  • Customize the Period to the desired time range. You can also define a custom period and save for quick reference.

  • A detailed audit information report is generated for the selected period.

  • Clicking on an event in the bar graph filters the report view highlighting only the selected event.

  • Advanced filter options help you locate the specific event that youre looking for.

  • how-to-check-who-removed-account-from-local-administrators-group-5
  • Step 1: Enable Group Policy Auditing
  • Launch theServer Manager and open the Group Policy Management Console (GPMC).

  • In the left pane, expand the Forestand Domains nodes to reveal the specified domain you want to track the changes for.

  • Expand the domain and right-click Default Domain Policy. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.

  • Click on Edit of the desired group policy, to open up the Group Policy Management Editor.

  • Expand

    Computer Configuration-->Policies-->Windows Settings-->Security Settings--> Advanced Audit Policy--> Audit Policy-->Account Management-->Audit Security Group Management. Enable success and failure for this.
  • Select the Exit Group Policy Management Editor.

    how-to-check-who-removed-account-from-local-administrators-group-1
  • In the GPMC, choose the modified GPO, and click Add in the Security section on the right pane. Type 'Everyone' in the text box and click Check Names to track the changes made by everyone who has logged into the domain. Exit the GPMC.

    1. To enforce these changes throughout the domain, run the command gpupdate /force, in Run.
  • Step 2: Allow AD Auditing through ADSI Edit
  • From your Server Manager go to Tools and select ADSI Edit.

  • Right click ADSI Edit node from the left pane and select Connect to option. This pulls up the Connection Settings window.

  • Select the Default Naming Context option from the Select a well-known Naming Context drop down list.

  • Click Okay and return to the ADSI Edit window. Expand Default Naming Context and select the associated DC subnode. Right-click this subnode and click Properties.

  • In the Properties window, go to the Security tab and select Advanced. After that select Auditing tab and click Add.

    how-to-check-who-removed-account-from-local-administrators-group-2
  • Click on Select a principal. This will bring up a Select User, Computer or Group Window. Type Everyone in the textbox and verify it with Check Names.

  • The Principal in the Auditing Entry window now shows Everyone. In the Type drop-down select All to audit for both success and failure events.

  • In the Select drop-down choose This object and all descendant objects. Select Full Control in the Permissions section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control
    2. List Contents
    3. Read all properties
    4. Read permissions
    how-to-check-who-removed-account-from-local-administrators-group-3
  • Step 3: Viewing Events in Event Viewer
  • You can view events in the Event viewer by filtering the logs to look for the specific ID.

    Event ID 4733 represents a user being removed from a security-enabled group.

    In the log view you'll see that Event 4733 is preceded by Event 4735 which indicates that a modification is made to a security-enabled group.

    You can find out if this group is a local group or a domain group by checking if the Group Domain is the same as the Computer Name. If the names match then it indicates that the group is a local group.

  • how-to-check-who-removed-account-from-local-administrators-group-4

Does native auditing become a little too much?

Simplify local account management auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Active Directory Auditing just got easier!

ADAudit Plus comes bundled with more than 300 predefined reports that makes AD auditing easier. The solution also sends real-time alerts for critical events and thereby helps you to secure your network from threats, and boost your IT security posture. Check out the capabilities of ADAudit Plus here.

Download ADAudit Plus

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • US
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Back to Top