Active Directory

How to Audit Active Directory Group Membership Changes

Active Directory group memberships define who can access across sensitive data and core infrastructure. Even a single addition to a high-privilege group such as “Domain Admins” can grant control over the entire environment. That's why it is essential to capture every membership change and tight control over privileges. This guide shows you how to monitor membership changes in Active Directory groups and ensure that only the right people retain access to critical resources.

Audit Group Membership Changes in Active Directory Using Event Viewer

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

Open Server Manager and navigate to Tools»Event Viewer on your domain controller.
In the left pane, expand Windows Logs and select Security.
In the Actions pane, click Filter Current Log, and enter the following event IDs to track changes across all security and distribution groups.
4728, 4729, 4732, 4733, 4746, 4747, 4751, 4752, 4756, 4757, 4761, 4762
Click OK to list all membership to list all events related to group membership changes.
Double-click any entry to open the Event Properties dialog box and examine the details of the change.
The event viewer log provides detailed information such as the group where the change occurred, the member who was added or removed, the user who performed the action, and more.

Audit Group Membership Changes in Active Directory Using Event Viewer

View Membership Changes in Active Directory Groups Using PowerShell

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

While Event Viewer lets you track group membership changes, it’s manual and time-consuming. PowerShell offers a faster, more scalable way to view group membership changes across multiple domain controllers.
Run the following cmdlet by replacing <FilePath> with the output file path to retrieve all Active Directory group membership changes.
This execution exports Active Directory group membership changes to a CSV file that shows the event time, event ID, distinguished name, target group, and the action performed (added or removed).

Windows PowerShell

 $DCs = Get-ADDomainController -Filter *
$EventIDs = 4728,4729,4732,4733,4746,4747,4751,4752,4756,4757,4761,4762
$Results = foreach ($DC in $DCs) {
    Get-WinEvent -ComputerName $DC.Hostname -FilterHashtable @{LogName='Security'; ID=$EventIDs} |
    ForEach-Object {
    $SID = $_.Properties[1].Value
    $GroupName = $SID
    $sidObj = New-Object System.Security.Principal.SecurityIdentifier($SID)
$account = $sidObj.Translate([System.Security.Principal.NTAccount])
if ($account) { $GroupName = $account.Value }
[PSCustomObject]@{
        TimeCreated       = $_.TimeCreated
        EventID           = $_.Id
        GroupName         = $GroupName
        DistinguishedName = $_.Properties[0].Value
        Action            = if ($_.Id -in 4728,4732,4756,4746,4751,4761) {'Added'} else {'Removed'}
        }
    }
}
$Results | Export-Csv -Path "<FilePath>" -NoTypeInformation

View Membership Changes in Active Directory Groups Using PowerShell

Simple & Quick
Track AD Groups Membership Changes Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the All Group Membership Change Events report under AD Audit»Group Membership Changes»All Group Membership Changes.
This report lists all Active Directory group membership changes along with detailed insights such as membership added/removed time, group name, operation, added/removed member, added/removed by, group type, scope, and more.
Use the Export option on the report to download Active Directory group membership changes reports in various formats like HTML, PDF, CSV, XLS, and more.

Track AD Groups Membership Changes Using AdminDroid

AdminDroid Active Directory Auditing Tool

Stay Ahead of Insider Threats by Auditing Group Membership Changes in Active Directory!

AdminDroid’s Active Directory auditing tool gives you complete visibility into every group membership change with just a few clicks. It uncovers group membership activity across security and distribution groups to ensure no critical modification goes unnoticed. Here are some of the unique features of AdminDroid for efficient Active Directory group membership changes management.

Stay Ahead by Monitoring Membership Changes in Privileged Active Directory Groups

Utilize AdminDroid’s membership changes in privileged groups alert policy template to get notified instantly whenever a membership shift happens in critical groups such as Enterprise Admins, Domain Admins, etc.

Manage Groups Without Members to Prevent Accidental Permission Assignments

Detect empty groups in Active Directory, verify the purpose, and either remove them or add relevant members to the group to avoid confusion and accidental access.

Find Groups Without Managers in Active Directory to Ensure Accountability

Identify unmanaged groups in Active Directory and assign responsible managers to ensure all membership changes are monitored and accountable.

Detect Users Without Group Memberships to Prevent Access Gaps

Track users not in any Active Directory group, check their role needs, and place them in the right groups to give proper access without extra permissions.

Analyze Nested Group Membership to Reveal Hidden Group Dependencies

Audit nested group memberships regularly to detect any changes in users inheriting high-level access from parent groups and ensure no one has unintended privileges.

Monitor Active Directory Group Membership Dashboard to Prevent Privilege Risks

Get a complete view of Active Directory group membership details in a centralized place to quickly spot changes, find hidden access, and maintain proper privileges.

In conclusion, the AdminDroid Active Directory management tool simplifies group oversight with rich dashboards and automated reports. From monitoring memberships to tracking ownership and lifecycle, it delivers complete visibility for admins. Overall, it helps create, manage groups, and maintain full control over your Active Directory environment as a comprehensive management tool.

Explore a full range of reporting options

Download Live Demo

Important tips

Allow only designated admins to modify security group memberships to prevent accidental or unauthorized access to sensitive Active Directory domain resources.

Enforce Privileged Access Management to grant time-bound membership in privileged groups and prevent unauthorized access from stale privileges.

Create management accounts in Active Directory to manage protected groups memberships without granting excessive rights or permissions.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when auditing group membership changes in Active Directory.

Error Enable-ADOptionalFeature : Insufficient access rights to perform the operation.

This error occurs when you try to enable Privileged Access Management (PAM) in a child domain.

Fix PAM is supported only in the forest root domain. So, run the below command on the root-domains’ domain controller using an administrator account.

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target "<DomainName>"

Error An object (User, Group, or Built-in security principal) with the following name cannot be found: "Executives".

This error occurs when you attempt to assign a user or group as a service principal during advanced auditing configuration, but the object cannot be located.

Fix Double-check that the user or group actually exists and then verify that its name is spelled correctly in the Auditing Entry dialog box.

Error Enable-ADOptionalFeature : The specified method is not supported.

This error occurs when you try to enable Privileged Access Management in an Active Directory forest or domain with a functional level below 2016.

Fix Verify the forest and domain functional levels, raise them to 2016 or higher using the following cmdlets and then enable the PAM.

#Verify forest and domain functional level
(Get-ADForest).ForestMode
(Get-ADDomain).ForestMode

#Raise forest and domain functional level to 2016
Set-ADForestMode -Identity "<DomainName>" -ForestMode Windows2016Forest
Set-ADDomainMode -Identity "<DomainName>" -DomaintMode Windows2016Forest

Error Set-ADDomainMode : The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.

This error occurs when you attempt to raise the domain functional level, but the FSMO role owner’s directory partition has not successfully replicated to all domain controllers.

Fix Use the following cmdlets to check if all domain controllers are replicating properly. If any issues are found, fix replication by running the following cmdlet, and then retry raising the domain functional level.

#Check replicatiom
repadmin /replsummary

#Fix replication 
repadmin /syncall /AeD

Error Disable-ADOptionalFeature: The specified method is not supported.

This error occurs when you try to disable the PAM feature in Active Directory.

Fix PAM is a one-way feature. Once it’s enabled, you can’t turn it off again. The only way to remove it is to rebuild the forest without enabling PAM.

Error A global group cannot have a local group as a member.

This error occurs when you try to add a domain local group as a member of a global group in Active Directory.

Fix Active Directory only lets a global group be a member of another global group. If you need to nest a domain local group, first convert the global group to a universal group, then add the domain local group as a member.

Active Directory

Frequently Asked Questions

Track Group Membership Changes to Prevent Security Breaches in Active Directory

What are different event logs available to track Active Directory group membership changes?

How to configure advanced auditing policy in Active Directory groups?

What is time-based group membership in Active Directory?

What are the limitations of native Active Directory group membership auditing?

How to audit privileged groups membership changes in Active Directory with PowerShell?

How to update Active Directory group membership without logging off?

1. What are different event logs available to track Active Directory group membership changes?

In Active Directory, groups are classified as Security or Distribution and can have one of three scopes: Global, Domain Local, or Universal. Tracking membership changes for a specific group across all these types and scopes become complex.

To make this easier, Active Directory provides dedicated group membership change event IDs for each type and scope. For instance, to monitor membership changes in the Administrator group, you can concentrate on the domain-local security group events instead of being overwhelmed by all group membership changes.

Windows Security log event IDs for auditing Active Directory group membership changes

event-ids-for-auditing-membership-changes

2. How to configure advanced auditing policy in Active Directory groups?

When account management is enabled in the basic audit policy, Active Directory logs all events related to users, computers, and groups. This consumes valuable Security log space and generates a lot of log noise, making it difficult to focus on group membership changes.

Advanced Audit Policy Configuration addresses this by allowing you to log only group changes. This lets you capture the events you care about while reducing irrelevant data, minimizing log noise, and saving Security log space.

Enable advanced auditing policy in Active Directory

In Server Manager, go to Tools»Group Policy Management.
Right-click the domain, and select Create a GPO in this domain, and Link it here
Provide a descriptive name and click OK to create the GPO.
Then right-click the new GPO and select Edit to configure its settings.
In the GPO Editor, go to Computer Configuration»Policies»Windows Settings»Security Settings»Advanced Audit Policy Configuration»Audit Policies.
Expand Account Management, then double-click Audit Distribution Group Management.
- Select Configure the following audit events check box.
- Select both Success and Failure, then click Apply and OK.
Repeat the step 6 for Audit Security Group Management.
After saving changes, press Windows+R, run 'gpupdate /force', and allow the policy to refresh across domain controllers.

enable-advanced-auditing-settings-in-gpo

Configure object level auditing on Active Directory groups

With Advanced Audit Policy, you can capture group membership changes efficiently. You can take this further by using a SACL (System Access Control List) in Active Directory. It adds precision by tracking specific actions by a particular user on an object. This allows you to monitor group membership changes in a group without logging unrelated group updates, giving you precise and focused auditing. Follow the steps below to configure a SACL for auditing group membership changes by a specific user or group.

Right-click the specific group whose membership you want to audit in ADUC, and go to Properties»Security»Advanced»Auditing
Click Add, then click Select a Principal in the Principal field.
Enter the name of the user or group whose actions you want to track, and click OK.
Click the Type dropdown and choose All, Success, or Failure.
Select This object and all descendant objects in the Applies to dropdown.
Under Properties, select Write Members and Write-msDS-MemberTransitive to log membership changes in the Security event log.
Click OK, then Apply, and select OK again to save your changes.

Note: If the Security tab doesn’t appear in the Properties tab, go to the View menu, and enable Advanced Features.

select-principals-and-properties-in-aduc

3. What is time-based group membership in Active Directory?

IT support often needs Domain Admin rights for urgent fixes, but manually remembering to revoke access afterward is risky. This is where time-based group membership becomes crucial. It allows admins to grant temporary access to groups that automatically expire after the specified time. This ensures the users retain privileges only as long as required.

Prerequisites for time-based group membership in Active Directory

Forest Functional Level: Must be set to Windows Server 2016 or higher.

Privileged Access Management (PAM): Needs to be enabled at the Active Directory forest root domain.

Administrative privileges: Only members of Enterprise Admin or Administrators group can enable PAM.

Enable time-based membership in Active Directory groups

Enable Privilege Access Management feature in Active Directory by running the following cmdlet. Replace <DomainName> with your actual domain name.
```
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target "<DomainName>"
```
To add a user to a group with a configurable TTL, use the cmdlet below. Replace <GroupName> with the group name <Members> with the user(s) to add, and <Minutes> with the duration in minutes for which the membership should last.
```
Add-ADGroupMember -Identity "<GroupName>" -Members "<Members>" -MemberTimeToLive (New-TimeSpan -Minutes <Minutes>)
```
You can use the following cmdlet to check group members and see how much time remains on their temporary membership (TTL).
```
Get-ADGroup "<GroupName>" -Property member -ShowMemberTimeToLive
```

Time-based group memberships are automatically revoked when the specified duration ends. In the meantime, you can manually remove members from the Active Directory groups at any time before expiration.

Note: When setting the Time To Live (TTL), you can specify the membership duration in minutes, hours, or days, depending on your requirements.

4. What are the limitations of native Active Directory group membership auditing?

Accurate tracking of group membership changes is critical to maintain security and compliance, but native Active Directory auditing falls short in several key areas. These gaps turn routine auditing into a complex, time-consuming, and error-prone task, especially in large or multi-domain environments.

Understanding the following limitations helps admins design stronger monitoring strategies and close potential security gaps.

Lengthy Setup Process Admins must configure multiple GPOs to enable group membership auditing, which is complex and time-consuming. A single misconfiguration in policies may leave critical groups unmonitored, which increases security risk.
No Real-Time Alerts Native auditing does not provide immediate notifications when users are added or removed from groups. Unauthorized access or privilege escalation may remain unnoticed until admins manually review security event logs.
High Volume of Logs Detailed auditing produces thousands of events per day. Admins may find it difficult to pinpoint who added or removed users from sensitive groups, especially during compliance audits or security investigations.
Cross-Domain Challenges In multi-domain forests, gathering logs from each domain controller individually can slow down auditing and increase the chance of errors.
Limited Historical Data Retention If the event logs are not archived properly, they can be overwritten and admins may lose records of past group membership changes. It makes harder for them to audit who had access, hinders incident investigations, and makes it difficult to detect security breaches.
Inconsistent Time Zones and Formats Security events recorded on Domain Controllers in different regions may have varying local timestamps. While you can adjust timestamps in reports, discrepancies across DCs can make it challenging to generate a precise timeline of group membership changes.
Manual Data Correlation Raw event logs often require PowerShell scripts or manual parsing to extract meaningful insights. Even reviewing membership changes in the Domain Admins group over a week can take hours and remain prone to human errors.
Limited Filtering Options Native auditing offers minimal filtering which makes it difficult to track specific membership change events without generating excessive logs. This increases noise and makes it harder to identify critical changes.
Event ID Complexity Each group type and scope has a unique event ID for group membership changes, which can be hard for admins to remember when tracking changes.

While native auditing provides some insight, its limitations often prevent full clarity when tracking group membership changes. AdminDroid addresses these gaps by offering ready-to-use reports, real-time alerts, and long-term data retention, all through a simple and intuitive interface.

Skip complex audit setups and track Active Directory group changes seamlessly with AdminDroid!

The group membership report gives clear insights into access management while avoiding challenges like high log volumes, Event ID complexity, limited filtering options, etc.
With AdminDroid, you can receive instant alerts or Teams notifications whenever membership changes match your criteria.

audit-security-group-membership-changes-using-droid

5. How to audit privileged groups membership changes in Active Directory with PowerShell?

Privileged AD groups like Domain Admins, Enterprise Admins, etc, are the power players in your Active Directory domain. A single unauthorized addition can create significant security gaps and open the door to misuse. That’s why it’s essential to keep a constant watch on privileged group membership changes to maintain a secure and compliant environment.

Run the below script to generate a report of users added/removed from the list of privileged groups in Active Directory. Replace <PrivilegedGroups> with a comma-separated list of the privileged group names you want to track.

$EventIDs = 4728,4729,4732,4733,4756,4757
$Events = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id      = $EventIDs
} -ErrorAction SilentlyContinue
$Parsed = $Events | ForEach-Object {
    $Details = ([xml]$_.ToXml()).Event
     $Action = switch ($Details.System.EventID) {
        4728 {"Added"}
        4732 {"Added"}
        4729 {"Removed"}
        4733 {"Removed"}
        4756 {"Added"}
        4757 {"Removed"}
    }
    [PSCustomObject]@{
     TimeStamp   = (Get-Date $Details.System.TimeCreated.SystemTime -Format "yyyy-MM-dd HH:mm:ss")
     ChangedUser = $Details.EventData.Data[0]."#text"
     GroupName   = $Details.EventData.Data[2]."#text"
     ChangedBy   = $Details.EventData.Data[6]."#text"
     Action      = $Action
    }
}
$PrivGroups = @('<PrivilegedGroups>’)
$PrivChanges = $Parsed | Where-Object { $_.GroupName -in $PrivGroups }
$PrivChanges | Format-Table -AutoSize

find-privileged-group-changes-using-powershell

Stay ahead of privilege escalation by tracking privilege group changes in real time with AdminDroid!

Use privileged group membership changes report to instantly gain insights into each group such as, Domain Admins, Enterprise Admins, and more. Track modifications including, added/removed time, group name, modified members, performed by, group scope, etc.
Schedule this report weekly to automate auditing of all membership changes in high-risk groups and ensure to stay compliant without manual effort.

audit-privileged-group-membership-changes-via-droid

6. How to update Active Directory group membership without logging off?

Active Directory group membership changes take effect only when the object’s access token is refreshed. This means the user must log off and log on, or the computer must restart, which can disrupt ongoing sessions or tasks. To avoid interruptions, you can manually refresh Kerberos tickets without disconnecting the session. This approach ensures users and computers receive updated access promptly without requiring a reboot.

Refresh Active Directory user group membership without logging off

Run these steps on the machine where the user is logged in to update membership immediately without restarting.

Run the below cmdlet to clear the current Kerberos ticket cache and remove outdated group membership information.
```
klist purge
```
Access any domain resource to automatically get a new ticket. Then, run the below cmdlet to verify that the new ticket shows updated group memberships.
```
klist tgt
```

Refresh AD computer group membership without restarting

Run the below cmdlet to clear the computer’s current Kerberos ticket.
```
klist -li 0x3e7 purge
```
Refresh the computer’s group memberships via group policy using the cmdlet below.
```
gpupdate /force
```
Run the following cmdlet to confirm the computer’s group memberships have been refreshed.
```
klist -li 0x3e7 tgt
```

Handy Tips:

Run whoami /groups before and after ticket refresh to confirm updated memberships.
Restart Windows Explorer from Task Manager if changes don’t appear.
Use runas to launch apps with the updated group memberships.