How To Detect Who Added A User To The Domain Admins Group

Steps to enable auditing using the Group Policy Management Console (GPMC):

Perform the following actions on the domain controller (DC):

1. Press Start, then search for and open the Group Policy Management Console, or run the command gpmc.msc.

2. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here... If you have already created a Group Policy Object (GPO), go to step 4.

3. Name the GPO.
4. Right-click the GPO, and choose Edit.

5. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.

6. In the right pane, you will see a list of policies under Audit Policy. Double-click Audit account management, and check the boxes next to Define these policy settings, Success, and Failure.

7. Click Apply, then OK.
8. Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

Once this policy is enabled, whenever a user is added to the security-enabled group, corresponding events are logged under the DC's security log category.

Steps to view these events using Event Viewer

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

1. Press Start, search for Event Viewer, and click to open it.
2. In the left pane of the Event Viewer window, navigate to Windows Logs → Security.
3. Here, you will find a list of all the security events that are logged in the system.

4. In the right pane, under Security, click Filter Current Log.

5. In the pop-up window, enter 4728 in the field labeled <All Event IDs>.
6. Click OK. This will provide a list of occurrences of Event ID 4728, which is logged when a new user is added to a security group.
7. Double-click the Event ID to view its properties (description). Look for Domain Admins under Group Name in the description.

The section labeled Subject shows who added the new user. The section labeled Member shows the name and SID of the new user that was added to the group.

This method is exhausting since you have to view each event's description to find the one that pertains to the Domain Admins group.

ADAudit Plus, a streamlined AD auditing tool, enables admins to effortlessly audit security group membership changes and other group management information.

Download 30-day, free trial